You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2015/02/25 17:23:45 UTC
svn commit: r1662254 - in /lucene/dev/trunk: lucene/
lucene/analysis/common/src/test/org/apache/lucene/analysis/util/
lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/
lucene/core/src/test/org/apache/lucene/util/ lucene/tools/junit4/ solr/
Author: rmuir
Date: Wed Feb 25 16:23:44 2015
New Revision: 1662254
URL: http://svn.apache.org/r1662254
Log:
LUCENE-6238: minimize tests.policy
Added:
lucene/dev/trunk/lucene/tools/junit4/solr-tests.policy (with props)
Modified:
lucene/dev/trunk/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java
lucene/dev/trunk/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java
lucene/dev/trunk/lucene/common-build.xml
lucene/dev/trunk/lucene/core/src/test/org/apache/lucene/util/TestIOUtils.java
lucene/dev/trunk/lucene/tools/junit4/tests.policy
lucene/dev/trunk/solr/common-build.xml
Modified: lucene/dev/trunk/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java (original)
+++ lucene/dev/trunk/lucene/analysis/common/src/test/org/apache/lucene/analysis/util/TestFilesystemResourceLoader.java Wed Feb 25 16:23:44 2015
@@ -31,7 +31,7 @@ public class TestFilesystemResourceLoade
private void assertNotFound(ResourceLoader rl) throws Exception {
try {
- IOUtils.closeWhileHandlingException(rl.openResource("/this-directory-really-really-really-should-not-exist/foo/bar.txt"));
+ IOUtils.closeWhileHandlingException(rl.openResource("this-directory-really-really-really-should-not-exist/foo/bar.txt"));
fail("The resource does not exist, should fail!");
} catch (IOException ioe) {
// pass
Modified: lucene/dev/trunk/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java (original)
+++ lucene/dev/trunk/lucene/analysis/uima/src/java/org/apache/lucene/analysis/uima/ae/BasicAEProvider.java Wed Feb 25 16:23:44 2015
@@ -80,7 +80,7 @@ public class BasicAEProvider implements
private XMLInputSource getInputSource() throws IOException {
try {
return new XMLInputSource(aePath);
- } catch (IOException e) {
+ } catch (Exception e) {
return new XMLInputSource(getClass().getResource(aePath));
}
}
Modified: lucene/dev/trunk/lucene/common-build.xml
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/common-build.xml?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/lucene/common-build.xml (original)
+++ lucene/dev/trunk/lucene/common-build.xml Wed Feb 25 16:23:44 2015
@@ -125,6 +125,7 @@
<property name="tests.filterstacks" value="true"/>
<property name="tests.luceneMatchVersion" value="${version.base}"/>
<property name="tests.asserts" value="true" />
+ <property name="tests.policy" location="${common.dir}/tools/junit4/tests.policy"/>
<condition property="tests.asserts.args" value="-ea -esa" else="">
<istrue value="${tests.asserts}"/>
@@ -1012,11 +1013,12 @@
<!-- Restrict access to certain Java features and install security manager: -->
<sysproperty key="junit4.tempDir" file="@{workDir}/temp" />
+ <sysproperty key="common.dir" file="${common.dir}" />
<sysproperty key="clover.db.dir" file="${clover.db.dir}" />
<syspropertyset>
<propertyref prefix="java.security.manager"/>
</syspropertyset>
- <sysproperty key="java.security.policy" file="${common.dir}/tools/junit4/tests.policy" />
+ <sysproperty key="java.security.policy" file="${tests.policy}" />
<sysproperty key="tests.LUCENE_VERSION" value="${version.base}"/>
@@ -2501,7 +2503,7 @@ The following arguments can be provided
<junit4:pickseed property="pitest.seed" />
- <property name="pitest.sysprops" value="-Dversion=${version},-Dtest.seed=${pitest.seed},-Djava.security.manager=org.apache.lucene.util.TestSecurityManager,-Djava.security.policy=${common.dir}/tools/junit4/tests.policy,-Djava.io.tmpdir=${tests.workDir},-Djunit4.childvm.cwd=${tests.workDir},-Djunit4.tempDir=${tests.workDir}" />
+ <property name="pitest.sysprops" value="-Dversion=${version},-Dtest.seed=${pitest.seed},-Djava.security.manager=org.apache.lucene.util.TestSecurityManager,-Djava.security.policy=${tests.policy},-Djava.io.tmpdir=${tests.workDir},-Djunit4.childvm.cwd=${tests.workDir},-Djunit4.tempDir=${tests.workDir}" />
<pitest
classPath="pitest.classpath"
Modified: lucene/dev/trunk/lucene/core/src/test/org/apache/lucene/util/TestIOUtils.java
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/core/src/test/org/apache/lucene/util/TestIOUtils.java?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/lucene/core/src/test/org/apache/lucene/util/TestIOUtils.java (original)
+++ lucene/dev/trunk/lucene/core/src/test/org/apache/lucene/util/TestIOUtils.java Wed Feb 25 16:23:44 2015
@@ -215,7 +215,7 @@ public class TestIOUtils extends LuceneT
@Override
public void checkAccess(Path path, AccessMode... modes) throws IOException {
// TODO: kinda screwed up how we do this, but it's easy to get lost. just unravel completely.
- delegate.checkAccess(FilterPath.unwrap(path), modes);
+ delegate.checkAccess(maybeChroot(FilterPath.unwrap(path)), modes);
}
@Override
Added: lucene/dev/trunk/lucene/tools/junit4/solr-tests.policy
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/tools/junit4/solr-tests.policy?rev=1662254&view=auto
==============================================================================
--- lucene/dev/trunk/lucene/tools/junit4/solr-tests.policy (added)
+++ lucene/dev/trunk/lucene/tools/junit4/solr-tests.policy Wed Feb 25 16:23:44 2015
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// Policy file to prevent tests from writing outside the test sandbox directory
+// (must be given as a sysprop: tests.sandbox.dir)
+// This policy also disallows stuff like listening on network ports of interfaces
+// different than 127.0.0.1.
+
+// PLEASE NOTE: You may need to enable other permissions when new tests are added,
+// everything not allowed here is forbidden!
+
+grant {
+ // permissions for file access, write access only to sandbox:
+ permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+
+ // all possibilities of accepting/binding connections on localhost with ports >=1024:
+ permission java.net.SocketPermission "localhost:1024-", "accept,listen";
+ permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
+ permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
+
+ // This is a special case, because the network config of the ASF Jenkins server is broken,
+ // see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
+ permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
+
+ // Allow connecting to the internet anywhere
+ permission java.net.SocketPermission "*", "connect,resolve";
+
+ // Basic permissions needed for Lucene to work:
+ permission java.util.PropertyPermission "*", "read,write";
+ permission java.lang.reflect.ReflectPermission "*";
+ permission java.lang.RuntimePermission "*";
+
+ // These two *have* to be spelled out a separate
+ permission java.lang.management.ManagementPermission "control";
+ permission java.lang.management.ManagementPermission "monitor";
+
+ // Solr needs those:
+ permission java.net.NetPermission "*";
+ permission java.sql.SQLPermission "*";
+ permission java.util.logging.LoggingPermission "control";
+ permission javax.management.MBeanPermission "*", "*";
+ permission javax.management.MBeanServerPermission "*";
+ permission javax.management.MBeanTrustPermission "*";
+ permission javax.security.auth.AuthPermission "*";
+ permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
+ permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
+ permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
+ permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
+
+ // TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
+ permission java.security.SecurityPermission "putProviderProperty.BC";
+ permission java.security.SecurityPermission "insertProvider.BC";
+
+ // Needed for some things in DNS caching in the JVM
+ permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
+ permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
+
+ // SSL related properties for Solr tests
+ permission java.security.SecurityPermission "getProperty.ssl.*";
+
+ // SASL/Kerberos related properties for Solr tests
+ permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
+
+ // may only be necessary with Java 7?
+ permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
+ permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
+
+ permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
+ permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
+ permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
+};
Modified: lucene/dev/trunk/lucene/tools/junit4/tests.policy
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/lucene/tools/junit4/tests.policy?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/lucene/tools/junit4/tests.policy (original)
+++ lucene/dev/trunk/lucene/tools/junit4/tests.policy Wed Feb 25 16:23:44 2015
@@ -15,76 +15,71 @@
* limitations under the License.
*/
-// Policy file to prevent tests from writing outside the test sandbox directory
-// (must be given as a sysprop: tests.sandbox.dir)
-// This policy also disallows stuff like listening on network ports of interfaces
-// different than 127.0.0.1.
-
-// PLEASE NOTE: You may need to enable other permissions when new tests are added,
-// everything not allowed here is forbidden!
+// Policy file for lucene tests. Please keep minimal and avoid wildcards.
grant {
- // permissions for file access, write access only to sandbox:
- permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
- permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
- permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
-
- // all possibilities of accepting/binding connections on localhost with ports >=1024:
- permission java.net.SocketPermission "localhost:1024-", "accept,listen";
- permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
- permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
-
- // This is a special case, because the network config of the ASF Jenkins server is broken,
- // see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
- permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
-
- // Allow connecting to the internet anywhere
- permission java.net.SocketPermission "*", "connect,resolve";
+ // contain read access to only what we need:
+ // 3rd party jar resources (where symlinks are not supported), test-files/ resources
+ permission java.io.FilePermission "${common.dir}${/}-", "read";
+ // 3rd party jar resources (where symlinks are supported)
+ permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
+ // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
+ permission java.io.FilePermission "${java.home}${/}-", "read,execute";
+ // should be enclosed within common.dir, but just in case:
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+
+ // write only to sandbox
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
+
+ // needed by gson serialization of junit4 runner: TODO clean that up
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+ // needed by junit4 runner to capture sysout/syserr:
+ permission java.lang.RuntimePermission "setIO";
+ // needed by randomized runner to catch failures from other threads:
+ permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
+ // needed by randomized runner getTopThreadGroup:
+ permission java.lang.RuntimePermission "modifyThreadGroup";
+ // needed by tests e.g. shutting down executors:
+ permission java.lang.RuntimePermission "modifyThread";
+ // needed for tons of test hacks etc
+ permission java.lang.RuntimePermission "getStackTrace";
+ // needed for mock filesystems in tests
+ permission java.lang.RuntimePermission "fileSystemProvider";
+ // needed for mock filesystems in tests (to capture implCloseChannel)
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
+ // needed by junit nested compat tests (due to static fields reflection), TODO clean these up:
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.locale";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.fs";
+ // needed for test of IOUtils.spins (maybe it can be avoided)
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ // analyzers/morfologik: needed for a horrible context classloader hack for solr in morfologikfilter: nuke this
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ // analyzers/uima: needed by UIMA message localization... (?)
+ permission java.lang.RuntimePermission "createSecurityManager";
+ permission java.lang.RuntimePermission "createClassLoader";
+ // needed to test unmap hack on platforms that support it
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
- // Basic permissions needed for Lucene to work:
+ // read access to all system properties:
+ // needed by junit4 BootstrapEvent (it calls System.getProperties, used by ant xml reporting?)
permission java.util.PropertyPermission "*", "read,write";
- permission java.lang.reflect.ReflectPermission "*";
- permission java.lang.RuntimePermission "*";
- // These two *have* to be spelled out a separate
- permission java.lang.management.ManagementPermission "control";
- permission java.lang.management.ManagementPermission "monitor";
-
- // Solr needs those:
- permission java.net.NetPermission "*";
- permission java.sql.SQLPermission "*";
- permission java.util.logging.LoggingPermission "control";
- permission javax.management.MBeanPermission "*", "*";
- permission javax.management.MBeanServerPermission "*";
- permission javax.management.MBeanTrustPermission "*";
- permission javax.security.auth.AuthPermission "*";
- permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
- permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
- permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
- permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
+ // replicator: jetty tests require some network permissions:
+ // all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
+ permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
+ permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";
- // TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
- permission java.security.SecurityPermission "putProviderProperty.BC";
- permission java.security.SecurityPermission "insertProvider.BC";
-
- // Needed for some things in DNS caching in the JVM
- permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
- permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
-
- // SSL related properties for Solr tests
- permission java.security.SecurityPermission "getProperty.ssl.*";
+ // This is a special case, because the network config of the ASF Jenkins server is broken,
+ // see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
+ permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen,connect,resolve";
- // SASL/Kerberos related properties for Solr tests
- permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
-
- // may only be necessary with Java 7?
- permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
- permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
-
- permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
- permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
- permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
+ // SSL related properties for jetty
+ permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
+ permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
};
Modified: lucene/dev/trunk/solr/common-build.xml
URL: http://svn.apache.org/viewvc/lucene/dev/trunk/solr/common-build.xml?rev=1662254&r1=1662253&r2=1662254&view=diff
==============================================================================
--- lucene/dev/trunk/solr/common-build.xml (original)
+++ lucene/dev/trunk/solr/common-build.xml Wed Feb 25 16:23:44 2015
@@ -38,6 +38,7 @@
<property name="maven.dist.dir" location="${package.dir}/maven"/>
<property name="lucene-libs" location="${dest}/lucene-libs" />
<property name="tests.userdir" location="src/test-files"/>
+ <property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
<property name="server.dir" location="${common-solr.dir}/server" />
<property name="example" location="${common-solr.dir}/example" />
<property name="javadoc.dir" location="${dest}/docs"/>