1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.groovy.internal

File SecureGroovyCompilationCustomizerTest.java

 

Code metrics

0
32
7
1
125
75
8
0.25
4.57
7
1.14

Classes

Class Line # Actions
SecureGroovyCompilationCustomizerTest 44 32 0% 8 1
0.97435997.4%
 

Contributing tests

This file is covered by 2 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.groovy.internal;
21   
22    import java.util.Arrays;
23    import java.util.Collections;
24   
25    import javax.script.ScriptEngine;
26    import javax.script.ScriptEngineFactory;
27    import javax.script.ScriptEngineManager;
28    import javax.script.ScriptException;
29   
30    import org.jmock.Expectations;
31    import org.junit.Assert;
32    import org.junit.Test;
33    import org.xwiki.configuration.ConfigurationSource;
34    import org.xwiki.security.authorization.ContextualAuthorizationManager;
35    import org.xwiki.security.authorization.Right;
36    import org.xwiki.test.jmock.AbstractComponentTestCase;
37   
38    /**
39    * Unit tests for {@link SecureGroovyCompilationCustomizer}.
40    *
41    * @version $Id: dcbc28748174197385af32f59eb3dcb4d217aae6 $
42    * @since 4.1M1
43    */
 
44    public class SecureGroovyCompilationCustomizerTest extends AbstractComponentTestCase
45    {
46    private ScriptEngine engine;
47   
 
48  1 toggle @Test
49    public void executeWithSecureCustomizerWhenNoProgrammingRights() throws Exception
50    {
51  1 setUpWhenNoProgrammingRights();
52   
53    // Verify synchronized statements are not authorized
54  1 assertProtectedScript("synchronized(this) { }");
55    // Verify we can't call System methods
56  1 assertProtectedScript("System.exit(0)");
57    // Verify we can't access private variables
58  1 assertProtectedScript("\"Hello World\".value[0]");
59   
60    // Verify we can do a new and use Integer class
61  1 assertSafeScript("new Integer(6)");
62    }
63   
 
64  1 toggle @Test
65    public void executeWithSecureCustomizerWhenProgrammingRights() throws Exception
66    {
67  1 final ConfigurationSource source = registerMockComponent(ConfigurationSource.class);
68  1 final ContextualAuthorizationManager cam = registerMockComponent(ContextualAuthorizationManager.class);
69   
70  1 getMockery().checking(new Expectations()
 
71  1 toggle {{
72  1 oneOf(source).getProperty("groovy.compilationCustomizers", Collections.emptyList());
73  1 will(returnValue(Arrays.asList("secure")));
74  1 oneOf(cam).hasAccess(Right.PROGRAM);
75  1 will(returnValue(true));
76    }});
77   
78  1 ScriptEngineManager manager = new ScriptEngineManager();
79  1 ScriptEngineFactory groovyScriptEngineFactory =
80    getComponentManager().getInstance(ScriptEngineFactory.class, "groovy");
81  1 manager.registerEngineName("groovy", groovyScriptEngineFactory);
82   
83  1 final ScriptEngine engine = manager.getEngineByName("groovy");
84   
85    // Verify that the Secure AST Customizer is not active by running a Groovy script that raise an exception
86    // when the Secure AST Customizer is active
87  1 engine.eval("synchronized(this) { }");
88    }
89   
 
90  1 toggle private void setUpWhenNoProgrammingRights() throws Exception
91    {
92  1 final ConfigurationSource source = registerMockComponent(ConfigurationSource.class);
93  1 final ContextualAuthorizationManager cam = registerMockComponent(ContextualAuthorizationManager.class);
94   
95  1 getMockery().checking(new Expectations()
 
96  1 toggle {{
97  1 oneOf(source).getProperty("groovy.compilationCustomizers", Collections.emptyList());
98  1 will(returnValue(Arrays.asList("secure")));
99  1 oneOf(cam).hasAccess(Right.PROGRAM);
100  1 will(returnValue(false));
101    }});
102   
103  1 ScriptEngineManager manager = new ScriptEngineManager();
104  1 ScriptEngineFactory groovyScriptEngineFactory =
105    getComponentManager().getInstance(ScriptEngineFactory.class, "groovy");
106  1 manager.registerEngineName("groovy", groovyScriptEngineFactory);
107   
108  1 this.engine = manager.getEngineByName("groovy");
109    }
110   
 
111  3 toggle private void assertProtectedScript(String script)
112    {
113  3 try {
114  3 engine.eval(script);
115  0 Assert.fail("Should have thrown an exception here");
116    } catch (ScriptException e) {
117    // Expected, test passed!
118    }
119    }
120   
 
121  1 toggle private void assertSafeScript(String script) throws Exception
122    {
123  1 engine.eval(script);
124    }
125    }