1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package org.xwiki.rendering.macro.groovy; |
21 |
|
|
22 |
|
import java.util.ArrayList; |
23 |
|
import java.util.Collections; |
24 |
|
import java.util.List; |
25 |
|
|
26 |
|
import org.apache.commons.lang3.StringUtils; |
27 |
|
import org.jmock.Expectations; |
28 |
|
import org.junit.Assert; |
29 |
|
import org.junit.Before; |
30 |
|
import org.junit.Test; |
31 |
|
import org.xwiki.bridge.DocumentAccessBridge; |
32 |
|
import org.xwiki.configuration.ConfigurationSource; |
33 |
|
import org.xwiki.model.reference.AttachmentReferenceResolver; |
34 |
|
import org.xwiki.rendering.block.MacroBlock; |
35 |
|
import org.xwiki.rendering.macro.Macro; |
36 |
|
import org.xwiki.rendering.macro.MacroExecutionException; |
37 |
|
import org.xwiki.rendering.macro.script.JSR223ScriptMacroParameters; |
38 |
|
import org.xwiki.rendering.syntax.Syntax; |
39 |
|
import org.xwiki.rendering.transformation.MacroTransformationContext; |
40 |
|
import org.xwiki.security.authorization.ContextualAuthorizationManager; |
41 |
|
import org.xwiki.security.authorization.Right; |
42 |
|
import org.xwiki.test.jmock.AbstractComponentTestCase; |
43 |
|
|
44 |
|
|
45 |
|
|
46 |
|
|
47 |
|
@version |
48 |
|
@since |
49 |
|
|
|
|
| 94.1% |
Uncovered Elements: 3 (51) |
Complexity: 16 |
Complexity Density: 0.46 |
|
50 |
|
public class SecurityTest extends AbstractComponentTestCase |
51 |
|
{ |
52 |
|
private ContextualAuthorizationManager cam; |
53 |
|
|
54 |
|
private ConfigurationSource configurationSource; |
55 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (4) |
Complexity: 1 |
Complexity Density: 0.25 |
|
56 |
9 |
@Before... |
57 |
|
public void setUpMocks() throws Exception |
58 |
|
{ |
59 |
|
|
60 |
9 |
registerMockComponent(DocumentAccessBridge.class); |
61 |
|
|
62 |
|
|
63 |
9 |
this.cam = registerMockComponent(ContextualAuthorizationManager.class); |
64 |
9 |
registerMockComponent(AttachmentReferenceResolver.TYPE_STRING, "current"); |
65 |
|
|
66 |
|
|
67 |
9 |
this.configurationSource = registerMockComponent(ConfigurationSource.class); |
68 |
|
} |
69 |
|
|
70 |
|
|
71 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
72 |
1 |
@Test... |
73 |
|
public void testExecutionWhenSecureCustomizerWithScriptRightsAndNoProgrammingRights() throws Exception |
74 |
|
{ |
75 |
|
|
76 |
1 |
testExecution(true, false, true, false); |
77 |
|
} |
78 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
79 |
1 |
@Test(expected = MacroExecutionException.class)... |
80 |
|
public void testExecutionWhenSecureCustomizerWithNoScriptRightsAndNoProgrammingRights() throws Exception |
81 |
|
{ |
82 |
|
|
83 |
1 |
testExecution(true, false, false, false); |
84 |
|
} |
85 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
86 |
1 |
@Test... |
87 |
|
public void testExecutionWhenSecureCustomizerWithNoScriptRightsAndProgrammingRights() throws Exception |
88 |
|
{ |
89 |
|
|
90 |
1 |
testExecution(true, false, false, true); |
91 |
|
} |
92 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
93 |
1 |
@Test(expected = MacroExecutionException.class)... |
94 |
|
public void testExecutionWhenSecureCustomizerAndRestricted() throws Exception |
95 |
|
{ |
96 |
|
|
97 |
1 |
testExecution(true, true, true, false); |
98 |
|
} |
99 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
100 |
1 |
@Test(expected = MacroExecutionException.class)... |
101 |
|
public void testExecutionWhenSecureCustomizerAndRestrictedWithScriptRightsAndProgrammingRights() throws Exception |
102 |
|
{ |
103 |
|
|
104 |
|
|
105 |
1 |
testExecution(true, true, false, true); |
106 |
|
} |
107 |
|
|
108 |
|
|
109 |
|
|
|
|
| 75% |
Uncovered Elements: 1 (4) |
Complexity: 2 |
Complexity Density: 0.5 |
1PASS
|
|
110 |
1 |
@Test... |
111 |
|
public void testExecutionWhenNoSecureCustomizerAndNoRights() throws Exception |
112 |
|
{ |
113 |
|
|
114 |
1 |
try { |
115 |
1 |
testExecution(false, false, false, false); |
116 |
0 |
Assert.fail("Should have thrown an exception here!"); |
117 |
|
} catch (MacroExecutionException expected) { |
118 |
1 |
Assert.assertTrue(StringUtils.startsWith(expected.getMessage(), |
119 |
|
"The execution of the [groovy] script macro is not allowed.")); |
120 |
|
} |
121 |
|
} |
122 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
123 |
1 |
@Test(expected = MacroExecutionException.class)... |
124 |
|
public void testExecutionWhenNoSecureCustomizerAndScriptRights() throws Exception |
125 |
|
{ |
126 |
|
|
127 |
1 |
testExecution(false, false, true, false); |
128 |
|
} |
129 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
130 |
1 |
@Test... |
131 |
|
public void testExecutionWhenNoSecureCustomizerAndProgrammingRights() throws Exception |
132 |
|
{ |
133 |
|
|
134 |
1 |
testExecution(false, false, false, true); |
135 |
|
} |
136 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
1PASS
|
|
137 |
1 |
@Test... |
138 |
|
public void testExecutionWhenNoSecureCustomizerAndExecutionRestrictedAndProgrammingRights() throws Exception |
139 |
|
{ |
140 |
|
|
141 |
1 |
testExecution(false, true, false, true); |
142 |
|
} |
143 |
|
|
144 |
|
|
145 |
|
|
146 |
|
|
147 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (2) |
Complexity: 1 |
Complexity Density: 0.5 |
|
148 |
9 |
private void testExecution(final boolean hasCustomizer, final boolean isRestricted, final boolean hasSR,... |
149 |
|
final boolean hasPR) throws Exception |
150 |
|
{ |
151 |
9 |
getMockery().checking(new Expectations() |
152 |
|
{ |
|
|
| 100% |
Uncovered Elements: 0 (11) |
Complexity: 2 |
Complexity Density: 0.22 |
|
153 |
9 |
{... |
154 |
|
|
155 |
9 |
allowing(cam).hasAccess(Right.PROGRAM); |
156 |
9 |
will(returnValue(hasPR)); |
157 |
|
|
158 |
|
|
159 |
9 |
allowing(cam).hasAccess(Right.SCRIPT); |
160 |
9 |
will(returnValue(hasSR || hasPR)); |
161 |
|
|
162 |
|
|
163 |
9 |
List<String> customizers = new ArrayList<>(); |
164 |
9 |
if (hasCustomizer) { |
165 |
5 |
customizers.add("secure"); |
166 |
|
} |
167 |
9 |
allowing(configurationSource).getProperty("groovy.compilationCustomizers", Collections.emptyList()); |
168 |
9 |
will(returnValue(customizers)); |
169 |
|
|
170 |
|
} |
171 |
|
}); |
172 |
|
|
173 |
|
|
174 |
9 |
executeGroovyMacro("new Integer(0)", isRestricted); |
175 |
|
} |
176 |
|
|
|
|
| 0% |
Uncovered Elements: 1 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
177 |
0 |
private void executeGroovyMacro(String script) throws Exception... |
178 |
|
{ |
179 |
0 |
executeGroovyMacro(script, false); |
180 |
|
} |
181 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (7) |
Complexity: 1 |
Complexity Density: 0.14 |
|
182 |
9 |
private void executeGroovyMacro(String script, boolean restricted) throws Exception... |
183 |
|
{ |
184 |
9 |
Macro macro = getComponentManager().getInstance(Macro.class, "groovy"); |
185 |
9 |
JSR223ScriptMacroParameters parameters = new JSR223ScriptMacroParameters(); |
186 |
|
|
187 |
9 |
MacroTransformationContext context = new MacroTransformationContext(); |
188 |
9 |
context.getTransformationContext().setRestricted(restricted); |
189 |
9 |
context.setSyntax(Syntax.XWIKI_2_1); |
190 |
|
|
191 |
9 |
context.setCurrentMacroBlock(new MacroBlock("groovy", Collections.<String, String>emptyMap(), false)); |
192 |
|
|
193 |
9 |
macro.execute(parameters, script, context); |
194 |
|
} |
195 |
|
} |