From cbc64258778ec40e63357bbad93ad932eaed5c0d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 3 Dec 2013 11:43:04 -0500 Subject: Tests for PR1592 --- ChangeLog | 24 ++++ .../srcs/MixedSigningAppletSigned.java | 145 +++++++++++++++++++ .../testcases/MixedSigningAppletSignedTests.java | 159 +++++++++++++++++++++ .../resources/MixedSigningApplet-1.jnlp | 61 ++++++++ .../resources/MixedSigningApplet-2.jnlp | 61 ++++++++ .../resources/MixedSigningApplet-3.jnlp | 61 ++++++++ .../resources/MixedSigningApplet-4.jnlp | 61 ++++++++ .../resources/MixedSigningApplet-5.jnlp | 61 ++++++++ .../resources/MixedSigningApplet-6.jnlp | 61 ++++++++ .../resources/MixedSigningApplet.html | 52 +++++++ .../srcs/MixedSigningAppletHelper.java | 89 ++++++++++++ 11 files changed, 835 insertions(+) create mode 100644 tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java create mode 100644 tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp create mode 100644 tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html create mode 100644 tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java diff --git a/ChangeLog b/ChangeLog index b06d766..555934a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,27 @@ +2013-12-03 Andrew Azores + + Tests for PR1592. + * tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java: + new tests for per-JAR applet security + * tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp: + same + * tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html: + same + * tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java: + same + 2013-12-03 Andrew Azores Fix/new feature for PR1592. Each JAR in partially signed applets is diff --git a/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java b/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java new file mode 100644 index 0000000..1c55f19 --- /dev/null +++ b/tests/reproducers/signed/MixedSigningAppletSigned/srcs/MixedSigningAppletSigned.java @@ -0,0 +1,145 @@ +/* MixedSigningAppletSigned.java +Copyright (C) 2013 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +package com.redhat.mixedsigning.signed; +import java.applet.Applet; +import java.lang.reflect.Method; +import java.util.Arrays; +import java.util.ArrayList; +import java.util.List; + +/* See also simple/MixedSigningApplet */ +public class MixedSigningAppletSigned extends Applet { + + @Override + public void init() { + System.out.println("MixedSigningAppletSigned applet started. testName: " + getParameter("testName")); + Method m = null; + try { + m = this.getClass().getMethod(getParameter("testName")); + final String result = (String) m.invoke(this); + System.out.println(result); + } catch (Exception e) { + e.printStackTrace(); + } finally { + System.out.println("*** APPLET FINISHED ***"); + } + } + + public String testNonPrivilegedAction() { + return new HelperMethodCall().method("help").call(); + } + + // Should succeed + public String testSignedReadProperties() { + return System.getProperty("user.home"); + } + + // Should result in AccessControlException + public String testUnsignedReadProperties() { + return new HelperMethodCall().type(String.class).method("getProperty").arg("user.home").call(); + } + + // Should result in AccessControlException + public String testSignedExportPropertiesToUnsigned() { + return new HelperMethodCall().type(String.class).method("getPropertyFromSignedJar").arg("user.home").call(); + } + + // Should result in AccessControlException + public String testUnsignedAttacksSigned() { + return new HelperMethodCall().method("attack").call(); + } + + // Should result in InvocationTargetException (due to AccessControlException) + public String testUnsignedReflectionAttack() { + return new HelperMethodCall().method("reflectiveAttack").call(); + } + + public String calledByReflection() { + return System.getProperty("user.home"); + } + + public static String getProperty(String prop) { + return System.getProperty(prop); + } + + private static class HelperMethodCall { + + private String methodName; + private final List> methodSignature; + private final List args; + + public HelperMethodCall() { + methodSignature = new ArrayList>(); + args = new ArrayList(); + } + + public HelperMethodCall method(String methodName) { + this.methodName = methodName; + return this; + } + + public HelperMethodCall type(Class methodSignature) { + this.methodSignature.add(methodSignature); + return this; + } + + public HelperMethodCall arg(String arg) { + this.args.add(arg); + return this; + } + + public T call() { + try { + Class helper = Class.forName("com.redhat.mixedsigning.helper.MixedSigningAppletHelper"); + Method m; + if (this.methodSignature == null) { + m = helper.getMethod(this.methodName); + } else { + m = helper.getMethod(this.methodName, this.methodSignature.toArray(new Class[methodSignature.size()])); + } + Object[] params = args.toArray(new String[args.size()]); + @SuppressWarnings("unchecked") + T result = (T) m.invoke(null, params); + return result; + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + } +} diff --git a/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java b/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java new file mode 100644 index 0000000..f5c8bf0 --- /dev/null +++ b/tests/reproducers/signed/MixedSigningAppletSigned/testcases/MixedSigningAppletSignedTests.java @@ -0,0 +1,159 @@ +/* MixedSigningAppletSignedTests.java +Copyright (C) 2013 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +import net.sourceforge.jnlp.ProcessResult; +import net.sourceforge.jnlp.ServerAccess.AutoClose; +import net.sourceforge.jnlp.annotations.KnownToFail; +import net.sourceforge.jnlp.annotations.NeedsDisplay; +import net.sourceforge.jnlp.annotations.TestInBrowsers; +import net.sourceforge.jnlp.browsertesting.BrowserTest; +import net.sourceforge.jnlp.browsertesting.Browsers; +import net.sourceforge.jnlp.closinglisteners.AutoOkClosingListener; + +import static org.junit.Assert.*; +import org.junit.Test; + +/* See also simple/MixedSigningApplet */ +public class MixedSigningAppletSignedTests extends BrowserTest { + + private static final String appletCloseString = AutoOkClosingListener.MAGICAL_OK_CLOSING_STRING; + private static final String userHome = System.getProperty("user.home"); + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testNonPrivilegedAction() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testNonPrivilegedAction", AutoClose.CLOSE_ON_CORRECT_END); + assertTrue("stdout should contain MixedSigningApplet Applet Running but did not", pr.stdout.contains("MixedSigningApplet Applet Running")); + assertCloseString(pr); + } + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testUnsignedReadProperties() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedReadProperties", AutoClose.CLOSE_ON_CORRECT_END); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testSignedReadProperties() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testSignedReadProperties", AutoClose.CLOSE_ON_CORRECT_END); + assertTrue("stdout should contain " + userHome + " but did not", pr.stdout.contains(userHome)); + assertCloseString(pr); + } + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testSignedExportPropertiesToUnsigned() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testSignedExportPropertiesToUnsigned", AutoClose.CLOSE_ON_CORRECT_END); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testUnsignedAttacksSigned() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedAttacksSigned", AutoClose.CLOSE_ON_CORRECT_END); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @NeedsDisplay + // @Test + @TestInBrowsers(testIn={Browsers.one}) + public void testUnsignedReflectionAttack() throws Exception { + ProcessResult pr = server.executeBrowser("MixedSigningApplet.html?testUnsignedReflectionAttack", AutoClose.CLOSE_ON_CORRECT_END); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @Test + public void testNonPrivilegedActionJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-1.jnlp"); + assertTrue("stdout should contain MixedSigningApplet Applet Running but did not", pr.stdout.contains("MixedSigningApplet Applet Running")); + assertCloseString(pr); + } + + @Test + public void testUnsignedReadPropertiesJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-2.jnlp"); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @Test + public void testSignedReadPropertiesJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-3.jnlp"); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @Test + public void testSignedExportPropertiesToUnsignedJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-4.jnlp"); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @Test + public void testUnsignedAttacksSignedJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-5.jnlp"); + assertAccessControlException(pr); + assertCloseString(pr); + } + + @Test + public void testUnsignedReflectionAttackJNLP() throws Exception { + ProcessResult pr = server.executeJavawsHeadless("MixedSigningApplet-6.jnlp"); + assertAccessControlException(pr); + assertCloseString(pr); + } + + private static void assertAccessControlException(ProcessResult pr) { + assertTrue("stderr should contain AccessControlException but did not", pr.stderr.contains("AccessControlException")); + } + + private static void assertCloseString(ProcessResult pr) { + assertTrue("stdout should contain " + appletCloseString + " but did not", pr.stdout.contains(appletCloseString)); + } +} diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp new file mode 100644 index 0000000..e79de8d --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-1.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp new file mode 100644 index 0000000..0fb1c99 --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-2.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp new file mode 100644 index 0000000..5799007 --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-3.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp new file mode 100644 index 0000000..6975138 --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-4.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp new file mode 100644 index 0000000..2c1f11c --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-5.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp new file mode 100644 index 0000000..789a3cc --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet-6.jnlp @@ -0,0 +1,61 @@ + + + + + MixedSigningApplet + IcedTea + + Test per-JAR security assignment and permissions + + + + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html new file mode 100644 index 0000000..6fe11d7 --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/resources/MixedSigningApplet.html @@ -0,0 +1,52 @@ + + + + + + + + + diff --git a/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java b/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java new file mode 100644 index 0000000..939205d --- /dev/null +++ b/tests/reproducers/simple/MixedSigningApplet/srcs/MixedSigningAppletHelper.java @@ -0,0 +1,89 @@ +/* MixedSigningAppletHelper.java +Copyright (C) 2013 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +package com.redhat.mixedsigning.helper; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +/* See also signed/MixedSigningAppletSigned */ +public class MixedSigningAppletHelper { + + public static String help() { + return "MixedSigningApplet Applet Running"; + } + + public static String getProperty(String prop) { + return System.getProperty(prop); + } + + public static String getPropertyFromSignedJar(String prop) { + try { + Class signedAppletClass = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned"); + Method m = signedAppletClass.getMethod("getProperty", String.class); + String result = (String) m.invoke(null, prop); + return result; + } catch (Exception e) { + e.printStackTrace(); + return e.toString(); + } + } + + public static String attack() { + try { + Class signedAppletClass = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned"); + Method m = signedAppletClass.getMethod("getProperty", String.class); + String result = (String) m.invoke(signedAppletClass.newInstance(), "user.home"); + return result; + } catch (Exception e) { + e.printStackTrace(); + return e.toString(); + } + } + + public static String reflectiveAttack() { + String result = null; + try { + Object signedApplet = Class.forName("com.redhat.mixedsigning.signed.MixedSigningAppletSigned").newInstance(); + Method getProp = signedApplet.getClass().getMethod("calledByReflection"); + result = (String)getProp.invoke(signedApplet); + } catch (Exception e) { + e.printStackTrace(); + result = e.toString(); + } + return result; + } +} -- cgit v1.2.3