You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ma...@apache.org on 2019/08/14 11:20:15 UTC
[lucene-solr] branch jira/SOLR-13452_gradle_5 updated: SOLR-13452:
Enable the test security manager and add some more missing sys props for
setting up tests.
This is an automated email from the ASF dual-hosted git repository.
markrmiller pushed a commit to branch jira/SOLR-13452_gradle_5
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/jira/SOLR-13452_gradle_5 by this push:
new b6adfcb SOLR-13452: Enable the test security manager and add some more missing sys props for setting up tests.
b6adfcb is described below
commit b6adfcbc3d9737f4d5d59dccd4808722682f442a
Author: markrmiller <ma...@apache.org>
AuthorDate: Wed Aug 14 06:20:01 2019 -0500
SOLR-13452: Enable the test security manager and add some more missing sys props for setting up tests.
---
build.gradle | 64 +++++++++++++++++++---
buildSrc/common/configure-test.gradle | 24 ++++++++
.../org/apache/lucene/gradle/JdepsReport.groovy | 11 +---
.../gradle/{JUnit4.groovy => TopHints.groovy} | 3 +-
.../apache/lucene/util/TestSecurityManager.java | 5 +-
lucene/tools/junit4/solr-tests.policy | 15 +++++
lucene/tools/junit4/tests.policy | 17 ++++++
solr/server/etc/jetty.xml | 7 +++
8 files changed, 125 insertions(+), 21 deletions(-)
diff --git a/build.gradle b/build.gradle
index 2498c8b..076d588 100644
--- a/build.gradle
+++ b/build.gradle
@@ -17,12 +17,24 @@
import org.apache.lucene.gradle.CheckWorkingCopy
import org.apache.lucene.gradle.LuceneSolrForbiddenApisPlugin
+import org.gradle.api.Project
import org.apache.commons.io.FilenameUtils
+import com.google.common.base.Strings
plugins {
id "com.palantir.consistent-versions" version "1.8.0"
}
+// TOC
+// -> defs and all project ext config
+// -> lucene-solr all project config
+// -> lucene-solr sub module config
+// -> lucene-solr root project config
+// -> all projects config
+// -> lucene-solr IDE config
+// -> dependencies
+// -> other config
+
buildDir = file("build")
// define lucene-solr project lists that exclude buildSrc
@@ -31,6 +43,17 @@ def luceneSolrSubProjects = subprojects.findAll { project -> project.name != 'bu
def rootProjectDir = project.rootProject.projectDir;
+public static String formatSeed(long seed) {
+ char [] HEX = "0123456789ABCDEF".toCharArray();
+ StringBuilder b = new StringBuilder();
+ while(true) {
+ b.append(HEX[(int) (seed & 0xF)]);
+ seed = seed >>> 4;
+ if (seed == 0) break
+ }
+ return b.reverse().toString();
+}
+
// setup some basics - for other allproject work see below
allprojects {
// make sure ant task logging shows up by default
@@ -39,18 +62,34 @@ allprojects {
ext.filePath = { path -> file(path).getAbsolutePath() }
// sugar multi part File
ext.mfile = { file1, file2 -> new File(file(file1), file2.toString()) }
+
+ ext.getTopLvlProject = { proj ->
+ def topLvlProject
+ if (proj.group ==~ /.*?\.lucene(?:\.\w+)?/) {
+ topLvlProject = project.project(":lucene")
+ } else if (proj.group ==~ /.*?\.solr(?:\.\w+)?/) {
+ topLvlProject = project.project(":solr")
+ }
+ return topLvlProject
+ }
+
+ ext.pickRandomSeed = {
+ def propertyName = 'tests.seed'
+ def seedValue = null
+ if (project.hasProperty(propertyName)) seedValue = project.getProperty(propertyName)
+ if (seedValue == null) {
+ seedValue = formatSeed(new Random().nextLong());
+ println("Picking master seed for property '" + propertyName + "': " + seedValue);
+ return seedValue
+ } else {
+ println("Seed property '" + propertyName + "' already defined: " + seedValue);
+ return seedValue
+ }
+ }
}
apply from: mfile(rootProjectDir, 'buildSrc/common/build-help.gradle')
-// TOC
-// -> lucene-solr all project config
-// -> lucene-solr sub module config
-// -> lucene-solr root project config
-// -> all projects config
-// -> lucene-solr IDE config
-// -> dependencies
-// -> other config
// -> lucene-solr all module config - configure all lucene-solr projects, including root project
configure(luceneSolrProjects) {
@@ -115,6 +154,13 @@ configure(luceneSolrSubProjects) {
}
// configure tests
+
+ if (ext.getTopLvlProject(project).equals(rootProject.project(":lucene"))) {
+ project.ext.testsPolicy = 'lucene/tools/junit4/tests.policy'
+ } else {
+ project.ext.testsPolicy = 'lucene/tools/junit4/solr-tests.policy'
+ }
+
project.apply from: mfile(rootProjectDir, 'buildSrc/common/configure-test.gradle')
task sourceJar(type: Jar) {
@@ -153,7 +199,7 @@ configure(rootProject) {
tasks.create('checkWorkingCopy', CheckWorkingCopy, false)
- task testTimes(type: org.apache.lucene.gradle.JUnit4) {
+ task testTimes(type: org.apache.lucene.gradle.TopHints) {
group = 'Tests'
description = "Show the slowest tests (averages)."
}
diff --git a/buildSrc/common/configure-test.gradle b/buildSrc/common/configure-test.gradle
index f6c641d..852164b 100644
--- a/buildSrc/common/configure-test.gradle
+++ b/buildSrc/common/configure-test.gradle
@@ -22,6 +22,10 @@ test {
group = 'Tests'
description = "Runs project tests."
+ def rootProjectDir = project.rootProject.projectDir;
+
+ useJUnit()
+
systemProperty 'java.security.egd', 'file:/dev/./urandom'
filter {
@@ -37,6 +41,14 @@ test {
// Enable assertions in system classes
jvmArgs += "-esa"
+ def commonDir
+ if (project.ext.getTopLvlProject(project).equals(rootProject.project(":lucene"))) {
+ commonDir = rootProject.project(":lucene").projectDir
+ } else {
+ commonDir = rootProject.project(":solr").projectDir
+ }
+
+ systemProperty 'common.dir', "${commonDir}"
systemProperty 'tests.multiplier', '1'
systemProperty 'tests.codec', 'random'
systemProperty 'tests.postingsformat', 'random'
@@ -56,6 +68,17 @@ test {
systemProperty 'tests.asserts', 'true'
systemProperty 'tempDir', '.out/tests-temp'
systemProperty 'java.io.tmpdir', '.out/tests-temp'
+ systemProperty 'java.awt.headless', 'true'
+ systemProperty 'jetty.testMode', '1'
+ systemProperty 'jetty.insecurerandom', '1'
+ systemProperty 'jdk.map.althashing.threshold', '0'
+ systemProperty 'tests.src.home', System.getenv('user.dir')
+ systemProperty 'tests.seed', project.ext.pickRandomSeed()
+
+ // replaces default random source to the nonblocking variant
+ systemProperty 'java.security.egd', 'file:/dev/./urandom'
+ systemProperty 'java.security.manager', 'org.apache.lucene.util.TestSecurityManager'
+ systemProperty 'java.security.policy', "${mfile(rootProjectDir, project.ext.testsPolicy)}"
def testsJvms = project.ext.properties.tests_jvms
if (testsJvms) {
@@ -71,6 +94,7 @@ test {
}
+
// Some test resources and files are stored along the test sources
// and are expected to exist next to classes during tests
task copyTestResources(type: Copy) {
diff --git a/buildSrc/src/main/groovy/org/apache/lucene/gradle/JdepsReport.groovy b/buildSrc/src/main/groovy/org/apache/lucene/gradle/JdepsReport.groovy
index 74d8aa8..621f475 100644
--- a/buildSrc/src/main/groovy/org/apache/lucene/gradle/JdepsReport.groovy
+++ b/buildSrc/src/main/groovy/org/apache/lucene/gradle/JdepsReport.groovy
@@ -160,16 +160,7 @@ class JdepsReport extends DefaultTask {
return files
}
-
- protected Project getTopLvlProject(Project proj) {
- def topLvlProject
- if (proj.group ==~ /.*?\.lucene(?:\.\w+)?/) {
- topLvlProject = project.project(":lucene")
- } else if (proj.group ==~ /.*?\.solr(?:\.\w+)?/) {
- topLvlProject = project.project(":solr")
- }
- return topLvlProject
- }
+
}
diff --git a/buildSrc/src/main/groovy/org/apache/lucene/gradle/JUnit4.groovy b/buildSrc/src/main/groovy/org/apache/lucene/gradle/TopHints.groovy
similarity index 95%
rename from buildSrc/src/main/groovy/org/apache/lucene/gradle/JUnit4.groovy
rename to buildSrc/src/main/groovy/org/apache/lucene/gradle/TopHints.groovy
index cbdba68..b3285b9 100644
--- a/buildSrc/src/main/groovy/org/apache/lucene/gradle/JUnit4.groovy
+++ b/buildSrc/src/main/groovy/org/apache/lucene/gradle/TopHints.groovy
@@ -23,7 +23,8 @@ import org.gradle.api.tasks.InputFile
import org.gradle.api.tasks.OutputDirectory
import org.gradle.api.tasks.TaskAction
-class JUnit4 extends DefaultTask {
+// we may not end up using this with gradle
+class TopHints extends DefaultTask {
@TaskAction
diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
index 99c6270..04a136d 100644
--- a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
@@ -31,6 +31,7 @@ public final class TestSecurityManager extends SecurityManager {
static final String JUNIT4_TEST_RUNNER_PACKAGE = "com.carrotsearch.ant.tasks.junit4.";
static final String ECLIPSE_TEST_RUNNER_PACKAGE = "org.eclipse.jdt.internal.junit.runner.";
static final String IDEA_TEST_RUNNER_PACKAGE = "com.intellij.rt.execution.junit.";
+ static final String GRADLEWORKER = "org.gradle.";
/**
* Creates a new TestSecurityManager. This ctor is called on JVM startup,
@@ -68,7 +69,9 @@ public final class TestSecurityManager extends SecurityManager {
if (exitMethodHit != null) {
if (className.startsWith(JUNIT4_TEST_RUNNER_PACKAGE) ||
className.startsWith(ECLIPSE_TEST_RUNNER_PACKAGE) ||
- className.startsWith(IDEA_TEST_RUNNER_PACKAGE)) {
+ className.startsWith(IDEA_TEST_RUNNER_PACKAGE) ||
+ className.startsWith(GRADLEWORKER) ||
+ className.startsWith("worker." + GRADLEWORKER)) {
// this exit point is allowed, we return normally from closure:
return /*void*/ null;
} else {
diff --git a/lucene/tools/junit4/solr-tests.policy b/lucene/tools/junit4/solr-tests.policy
index 69013eb..4a06574 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/lucene/tools/junit4/solr-tests.policy
@@ -23,6 +23,17 @@
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
// everything not allowed here is forbidden!
+// Gradle needs permissions
+grant codeBase "file:${user.home}/.gradle/-" {
+ permission java.security.AllPermission;
+// permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
+// permission java.lang.reflect.ReflectPermission "*";
+// permission java.util.logging.LoggingPermission "control";
+// permission java.util.PropertyPermission "*", "read,write";
+// permission java.io.FilePermission "${user.home}${/}.gradle${/}-", "read,write,delete";
+};
+
+
grant {
// permissions for file access, write access only to sandbox:
permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
@@ -33,8 +44,12 @@ grant {
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
permission java.io.FilePermission "${tests.linedocsfile}", "read";
+ permission java.io.FilePermission "${user.home}${/}.gradle${/}-", "read";
permission java.nio.file.LinkPermission "hard";
+ // gradle tmp out dir
+ permission java.io.FilePermission ".out${/}-", "read,write,delete";
+
// all possibilities of accepting/binding connections on localhost with ports >=1024:
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
diff --git a/lucene/tools/junit4/tests.policy b/lucene/tools/junit4/tests.policy
index 7494981..dcc0a1d 100644
--- a/lucene/tools/junit4/tests.policy
+++ b/lucene/tools/junit4/tests.policy
@@ -17,12 +17,23 @@
// Policy file for lucene tests. Please keep minimal and avoid wildcards.
+// Gradle needs permissions
+grant codeBase "file:${user.home}/.gradle/-" {
+ permission java.security.AllPermission;
+// permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
+// permission java.lang.reflect.ReflectPermission "*";
+// permission java.util.logging.LoggingPermission "control";
+// permission java.util.PropertyPermission "*", "read,write";
+// permission java.io.FilePermission "${user.home}${/}.gradle${/}-", "read,write,delete";
+};
+
grant {
// contain read access to only what we need:
// 3rd party jar resources (where symlinks are not supported), test-files/ resources
permission java.io.FilePermission "${common.dir}${/}-", "read";
// 3rd party jar resources (where symlinks are supported)
permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
+ permission java.io.FilePermission "${user.home}${/}.gradle${/}-", "read";
// system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
permission java.io.FilePermission "${java.home}${/}-", "read,execute";
// should be enclosed within common.dir, but just in case:
@@ -35,6 +46,8 @@ grant {
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
permission java.io.FilePermission "${tests.linedocsfile}", "read";
+ // gradle tmp out dir
+ permission java.io.FilePermission ".out${/}-", "read,write,delete";
// misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created
permission java.nio.file.LinkPermission "hard";
@@ -101,6 +114,10 @@ grant {
permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
+ // Another one for jetty
+ permission java.util.PropertyPermission "jetty.git.hash", "write";
+
+
// allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
permission java.security.SecurityPermission "createAccessControlContext";
};
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index 3bceff1..34940b5 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -137,6 +137,13 @@
</Set>
</New>
+ <!-- =========================================================== -->
+ <!-- Set handler Collection Structure -->
+ <!-- =========================================================== -->
+ <Set name="handler">
+ <Ref id="RewriteHandler"/>
+ </Set>
+
<!-- =========================================================== -->
<!-- Configure Request Log -->
<!-- =========================================================== -->