1   package groovy.security;
2   
3   import groovy.lang.GroovyClassLoader;
4   import groovy.lang.GroovyCodeSource;
5   
6   import java.io.File;
7   import java.io.IOException;
8   import java.io.InputStream;
9   import java.net.URL;
10  import java.security.Security;
11  import java.util.PropertyPermission;
12  
13  import org.codehaus.groovy.control.CompilationFailedException;
14  
15  import junit.framework.Test;
16  import junit.framework.TestSuite;
17  import junit.textui.TestRunner;
18  
19  /***
20   * Test the effects of enabling security in Groovy.  Some tests below check for proper framework
21   * behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
22   * Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
23   * are required for success.
24   * 
25   * @author Steve Goetze
26   */
27  public class SecurityTest extends SecurityTestSupport {
28  
29  	public static void main(String[] args) {
30          TestRunner.run( suite() );
31      }
32     
33      public static Test suite() {
34      	return new TestSuite(SecurityTest.class);
35      }
36  
37  	public void testForbiddenProperty() {
38  		String script = "System.getProperty(\"user.home\")";
39  		assertExecute(script, null, new PropertyPermission("user.home", "read"));
40  	}
41  
42  	public void testForbiddenPackage() {
43  		String script = "import sun.net.*; s = new NetworkClient()";
44  		assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
45  	}
46  
47  	public void testForbiddenCodebase() {
48  		assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
49  	}
50  	
51  	//Check that the Security package.access control works.
52  	public void testPackageAccess() {
53  		String script = "new javax.print.PrintException();";
54          Security.setProperty("package.access", "javax.print");
55          //This should throw an ACE because its codeBase does not allow access to javax.print
56  		assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
57  		//This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
58  		assertExecute(script, "/groovy/security/javax/print/allow", null);
59  	}
60  	
61  	public void testBadScriptNameBug() {
62  		assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
63  	}
64  
65  	public void testClosureListenerTest() {
66  		assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
67  	}
68  
69  	public void testClosureMethodTest() {
70  		assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
71  	}
72  
73  	public void testGroovyMethodsTest() {
74  		assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
75  	}
76  
77  	public void testClosureWithDefaultParamTest() {
78  		assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
79  	}
80  
81  	public void testGroovy303_Bug() {
82  		assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
83  	}
84  
85  	public void testScriptTest() {
86  		assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
87  	}
88  	
89  	//In addition to requiring several permissions, this test is an example of the case
90  	//where the groovy class loader is required at script invocation time as well as
91  	//during compilation.
92  	public void testSqlCompleteWithoutDataSourceTest() {
93  		assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
94  	}
95  	
96  	//Test to prevent scripts from invoking the groovy compiler.  This is done by restricting access
97  	//to the org.codehaus.groovy packages.
98  	public void testMetaClassTest() {
99          Security.setProperty("package.access", "org.codehaus.groovy");
100 		assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
101 	}
102 	
103 	//Mailing list post by Richard Hensley reporting a CodeSource bug.  A GroovyCodeSource created
104 	//with a URL was causing an NPE.
105 	public void testCodeSource() throws IOException, CompilationFailedException {
106 		URL script = loader.getResource("groovy/ArrayTest.groovy");
107 		GroovyCodeSource gcs = new GroovyCodeSource(script);
108 		Class result = loader.parseClass(gcs);
109 	}
110 	
111 }