1   package groovy.security;
2   
3   import groovy.lang.GroovyCodeSource;
4   
5   import java.io.File;
6   import java.io.IOException;
7   import java.net.URL;
8   import java.security.Security;
9   import java.util.PropertyPermission;
10  
11  import org.codehaus.groovy.control.CompilationFailedException;
12  
13  import junit.framework.Test;
14  import junit.framework.TestSuite;
15  import junit.textui.TestRunner;
16  
17  /***
18   * Test the effects of enabling security in Groovy.  Some tests below check for proper framework
19   * behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
20   * Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
21   * are required for success.
22   * 
23   * @author Steve Goetze
24   */
25  public class SecurityTest extends SecurityTestSupport {
26  
27  	public static void main(String[] args) {
28          TestRunner.run( suite() );
29      }
30     
31      public static Test suite() {
32      	return new TestSuite(SecurityTest.class);
33      }
34  
35  	public void testForbiddenProperty() {
36  		String script = "System.getProperty(\"user.home\")";
37  		assertExecute(script, null, new PropertyPermission("user.home", "read"));
38  	}
39  
40  	public void testForbiddenPackage() {
41  		String script = "import sun.net.*; s = new NetworkClient()";
42  		assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
43  	}
44  
45  	public void testForbiddenCodebase() {
46  		assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
47  	}
48  	
49  	//Check that the Security package.access control works.
50  	public void testPackageAccess() {
51  		String script = "new javax.print.PrintException();";
52          Security.setProperty("package.access", "javax.print");
53          //This should throw an ACE because its codeBase does not allow access to javax.print
54  		assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
55  		//This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
56  		assertExecute(script, "/groovy/security/javax/print/allow", null);
57  	}
58  	
59  	public void testBadScriptNameBug() {
60  		assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
61  	}
62  
63  	public void testClosureListenerTest() {
64  		assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
65  	}
66  
67  	public void testClosureMethodTest() {
68  		assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
69  	}
70  
71  	public void testGroovyMethodsTest() {
72  		assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
73  	}
74  
75  	public void testClosureWithDefaultParamTest() {
76  		assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
77  	}
78  
79  	public void testGroovy303_Bug() {
80  		assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
81  	}
82  
83  	public void testScriptTest() {
84  		assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
85  	}
86  	
87  	//In addition to requiring several permissions, this test is an example of the case
88  	//where the groovy class loader is required at script invocation time as well as
89  	//during compilation.
90  	public void testSqlCompleteWithoutDataSourceTest() {
91  		assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
92  	}
93  	
94  	//Test to prevent scripts from invoking the groovy compiler.  This is done by restricting access
95  	//to the org.codehaus.groovy packages.
96  	public void testMetaClassTest() {
97          Security.setProperty("package.access", "org.codehaus.groovy");
98  		assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
99  	}
100 	
101 	//Mailing list post by Richard Hensley reporting a CodeSource bug.  A GroovyCodeSource created
102 	//with a URL was causing an NPE.
103 	public void testCodeSource() throws IOException, CompilationFailedException {
104 		URL script = loader.getResource("groovy/ArrayTest.groovy");
105 		GroovyCodeSource gcs = new GroovyCodeSource(script);
106 		Class result = loader.parseClass(gcs);
107 	}
108 	
109 }