diff options
Diffstat (limited to 'tests/reproducers/simple/CustomPolicies')
6 files changed, 449 insertions, 0 deletions
diff --git a/tests/reproducers/simple/CustomPolicies/resources/CustomPolicies.html b/tests/reproducers/simple/CustomPolicies/resources/CustomPolicies.html new file mode 100644 index 0000000..06d4508 --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/resources/CustomPolicies.html @@ -0,0 +1,48 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<html> + <head></head> + <body> + <applet code="CustomPolicies.class" + archive="CustomPolicies.jar" + codebase="." + width="800" + height="600"> + </applet> + </body> +</html> diff --git a/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplet.jnlp b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplet.jnlp new file mode 100644 index 0000000..00d6a83 --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplet.jnlp @@ -0,0 +1,53 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<?xml version="1.0" encoding="utf-8"?> +<jnlp spec="1.0" href="CustomPoliciesApplet.jnlp" codebase="."> + <information> + <title>CustomPoliciesApplet</title> + <vendor>IcedTea</vendor> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/> + <description>Test that unsigned applets can perform privileged actions when granted by custom policies</description> + <offline/> + </information> + <resources> + <j2se version="1.4+"/> + <jar href="CustomPolicies.jar"/> + </resources> + <applet-desc main-class="CustomPolicies"> + </applet-desc> +</jnlp> diff --git a/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplication.jnlp b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplication.jnlp new file mode 100644 index 0000000..31624e8 --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesApplication.jnlp @@ -0,0 +1,53 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<?xml version="1.0" encoding="utf-8"?> +<jnlp spec="1.0" href="CustomPoliciesApplication.jnlp" codebase="."> + <information> + <title>CustomPoliciesApplication</title> + <vendor>IcedTea</vendor> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/> + <description>Test that unsigned applets can perform privileged actions when granted by custom policies</description> + <offline/> + </information> + <resources> + <j2se version="1.4+"/> + <jar href="CustomPolicies.jar"/> + </resources> + <application-desc main-class="CustomPolicies"> + </application-desc> +</jnlp> diff --git a/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesJnlpHref.html b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesJnlpHref.html new file mode 100644 index 0000000..49727e5 --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/resources/CustomPoliciesJnlpHref.html @@ -0,0 +1,45 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<html> + <head></head> + <body> + <applet width="800" height="600" code="CustomPolicies"> + <param name="jnlp_href" value="CustomPoliciesApplet.jnlp"> + </applet> + </body> +</html> diff --git a/tests/reproducers/simple/CustomPolicies/srcs/CustomPolicies.java b/tests/reproducers/simple/CustomPolicies/srcs/CustomPolicies.java new file mode 100644 index 0000000..2446f55 --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/srcs/CustomPolicies.java @@ -0,0 +1,23 @@ +import java.applet.Applet; +import java.security.AccessControlException; + +public class CustomPolicies extends Applet { + + @Override + public void start() { + System.out.println("CustomPolicies applet read: " + read("user.home")); + System.exit(0); + } + + private String read(String key) { + try { + return System.getProperty(key); + } catch (AccessControlException ace) { + return ace.toString(); + } + } + + public static void main(String[] args) { + new CustomPolicies().start(); + } +} diff --git a/tests/reproducers/simple/CustomPolicies/testcases/CustomPoliciesTest.java b/tests/reproducers/simple/CustomPolicies/testcases/CustomPoliciesTest.java new file mode 100644 index 0000000..24bdc4c --- /dev/null +++ b/tests/reproducers/simple/CustomPolicies/testcases/CustomPoliciesTest.java @@ -0,0 +1,227 @@ +/* CustomPoliciesTest.java +Copyright (C) 2014 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.io.FileWriter; +import java.io.FilenameFilter; +import java.io.IOException; +import java.net.URL; + +import net.sourceforge.jnlp.ProcessResult; +import net.sourceforge.jnlp.ServerAccess; +import net.sourceforge.jnlp.annotations.NeedsDisplay; +import net.sourceforge.jnlp.annotations.TestInBrowsers; +import net.sourceforge.jnlp.browsertesting.BrowserTest; +import net.sourceforge.jnlp.browsertesting.Browsers; +import net.sourceforge.jnlp.closinglisteners.RulesFolowingClosingListener; +import net.sourceforge.jnlp.config.DeploymentConfiguration; +import net.sourceforge.jnlp.runtime.JNLPRuntime; + +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +/* Test that adding permission for all codesources to read the user.home property + * results in an unsigned applet being able to perform this action + */ +public class CustomPoliciesTest extends BrowserTest { + + private static DeploymentConfiguration config = JNLPRuntime.getConfiguration(); + private static File policy, policyBackup; + + @BeforeClass + public static void setPolicyLocation() throws Exception { + policy = new File(new URL(config.getProperty(DeploymentConfiguration.KEY_USER_SECURITY_POLICY)).getPath()); + File securityDir = policy.getParentFile(); + File[] previousBackups = securityDir.listFiles(new FilenameFilter() { + @Override + public boolean accept(File dir, String name) { + return name.startsWith("java.policy.bak"); + } + }); + for (File backup : previousBackups) { + ServerAccess.logErrorReprint("Warning: found previous policy file backup at " + backup); + } + } + + @Before + public void backupPolicy() throws Exception { + if (policy.isFile()) { + policyBackup = File.createTempFile("java.policy.bak", null, policy.getParentFile()); + if (!policy.renameTo(policyBackup)) { + ServerAccess.logErrorReprint("Could not back up existing policy file"); + throw new RuntimeException("Could not back up existing policy file"); + } + } + + } + + @After + public void restorePolicy() { + policy.delete(); + if (policyBackup != null && policyBackup.isFile()) { + policyBackup.renameTo(policy); + } + } + + private void writePolicy() throws IOException { + FileWriter out = new FileWriter(policy); + try { + String policyText="grant {\n permission java.util.PropertyPermission \"user.home\", \"read\";\n};\n"; + out.write(policyText, 0, policyText.length()); + } finally { + out.close(); + } + } + + @NeedsDisplay + @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testHtmlLaunchWithPolicy() throws Exception { + writePolicy(); + assertPolicyExists(); + RulesFolowingClosingListener listener = new RulesFolowingClosingListener(); + listener.addContainsRule("CustomPolicies applet read:"); + ProcessResult pr = server.executeBrowser("CustomPolicies.html", listener, null); + assertInit(pr); + assertReadProps(pr); + assertNoAccessControlException(pr); + } + + @NeedsDisplay + @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testHtmlJnlpHrefLaunchWithPolicy() throws Exception { + writePolicy(); + assertPolicyExists(); + RulesFolowingClosingListener listener = new RulesFolowingClosingListener(); + listener.addContainsRule("CustomPolicies applet read:"); + ProcessResult pr = server.executeBrowser("CustomPoliciesJnlpHref.html", listener, null); + assertInit(pr); + assertReadProps(pr); + assertNoAccessControlException(pr); + } + + @Test + public void testJnlpAppletLaunchWithPolicy() throws Exception { + writePolicy(); + assertPolicyExists(); + ProcessResult pr = server.executeJavawsHeadless("CustomPoliciesApplet.jnlp"); + assertInit(pr); + assertReadProps(pr); + assertNoAccessControlException(pr); + } + + @Test + public void testJnlpApplicationLaunchWithPolicy() throws Exception { + writePolicy(); + assertPolicyExists(); + ProcessResult pr = server.executeJavawsHeadless("CustomPoliciesApplication.jnlp"); + assertInit(pr); + assertReadProps(pr); + assertNoAccessControlException(pr); + } + + @NeedsDisplay + @Test + @TestInBrowsers(testIn = { Browsers.one }) + public void testHtmlLaunch() throws Exception { + assertNoPolicyExists(); + RulesFolowingClosingListener listener = new RulesFolowingClosingListener(); + listener.addContainsRule("CustomPolicies applet read:"); + ProcessResult pr = server.executeBrowser("CustomPolicies.html", listener, null); + assertInit(pr); + assertAccessControlException(pr); + } + + @NeedsDisplay + @Test + @TestInBrowsers(testIn = { Browsers.one }) + public void testHtmlJnlpHrefLaunch() throws Exception { + assertNoPolicyExists(); + RulesFolowingClosingListener listener = new RulesFolowingClosingListener(); + listener.addContainsRule("CustomPolicies applet read:"); + ProcessResult pr = server.executeBrowser("CustomPoliciesJnlpHref.html", listener, null); + assertInit(pr); + assertAccessControlException(pr); + } + + @Test + public void testJnlpAppletLaunch() throws Exception { + assertNoPolicyExists(); + ProcessResult pr = server.executeJavawsHeadless("CustomPoliciesApplet.jnlp"); + assertInit(pr); + assertAccessControlException(pr); + } + + @Test + public void testJnlpApplicationLaunch() throws Exception { + assertNoPolicyExists(); + ProcessResult pr = server.executeJavawsHeadless("CustomPoliciesApplication.jnlp"); + assertInit(pr); + assertAccessControlException(pr); + } + + private void assertAccessControlException(ProcessResult pr) { + assertTrue("Applet should not have been able to read user.home", pr.stdout.contains("AccessControlException: access denied")); + } + + private void assertPolicyExists() { + assertTrue("A user policy file should be installed", policy.isFile()); + } + + private void assertNoPolicyExists() { + assertFalse("A user policy file should not be installed", policy.isFile()); + } + + private void assertInit(ProcessResult pr) { + assertTrue("Applet should have initialized", pr.stdout.contains("CustomPolicies applet read:")); + } + + private void assertReadProps(ProcessResult pr) { + assertTrue("stdout should contain user.home", pr.stdout.contains(System.getProperty("user.home"))); + } + + private void assertNoAccessControlException(ProcessResult pr) { + assertFalse("Applet should have been able to read user.home", pr.stdout.contains("AccessControlException: access denied")); + } + +} |