You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by dw...@apache.org on 2019/12/06 18:04:18 UTC
[lucene-solr] branch gradle-master updated (3e4d8a1 -> 3726317)
This is an automated email from the ASF dual-hosted git repository.
dweiss pushed a change to branch gradle-master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git.
from 3e4d8a1 Initial support for running with security manager (lucene).
add 106b9d6 SOLR-13988: Harden CreateCollectionCleanupTest
add a7444f7 LUCENE-9077: Add support for running under gradle test runner.
new 0d18581 Merge remote-tracking branch 'origin/master' into gradle-master
new 3726317 Enable security manager for the replicator module. The test policy for the replicator duplicates everything the regular policy has and just adds those nasty jetty-specific sections. Easier to diff/ spot the difference.
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../{tests.policy => replicator-tests.policy} | 29 +++++++++---------
gradle/testing/policies/tests.policy | 34 +++++++---------------
gradle/testing/randomization.gradle | 7 ++---
.../solr/cloud/CreateCollectionCleanupTest.java | 16 ++++++----
.../org/apache/solr/util/SolrSecurityManager.java | 4 ++-
5 files changed, 40 insertions(+), 50 deletions(-)
copy gradle/testing/policies/{tests.policy => replicator-tests.policy} (90%)
[lucene-solr] 01/02: Merge remote-tracking branch 'origin/master'
into gradle-master
Posted by dw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dweiss pushed a commit to branch gradle-master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
commit 0d18581225408a74b4f2c12bf6fb5c80f475f022
Merge: 3e4d8a1 a7444f7
Author: Dawid Weiss <dw...@apache.org>
AuthorDate: Fri Dec 6 19:02:26 2019 +0100
Merge remote-tracking branch 'origin/master' into gradle-master
.../apache/solr/cloud/CreateCollectionCleanupTest.java | 16 ++++++++++------
.../java/org/apache/solr/util/SolrSecurityManager.java | 4 +++-
2 files changed, 13 insertions(+), 7 deletions(-)
[lucene-solr] 02/02: Enable security manager for the replicator
module. The test policy for the replicator duplicates everything the
regular policy has and just adds those nasty jetty-specific sections.
Easier to diff/ spot the difference.
Posted by dw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
dweiss pushed a commit to branch gradle-master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
commit 37263176cb561a34b92c0d8b67a513759ad643be
Author: Dawid Weiss <dw...@apache.org>
AuthorDate: Fri Dec 6 19:04:07 2019 +0100
Enable security manager for the replicator module. The test policy for the replicator duplicates everything the regular policy has and just adds those nasty jetty-specific sections. Easier to diff/ spot the difference.
---
.../{tests.policy => replicator-tests.policy} | 29 +++++++++---------
gradle/testing/policies/tests.policy | 34 +++++++---------------
gradle/testing/randomization.gradle | 7 ++---
3 files changed, 27 insertions(+), 43 deletions(-)
diff --git a/gradle/testing/policies/tests.policy b/gradle/testing/policies/replicator-tests.policy
similarity index 90%
copy from gradle/testing/policies/tests.policy
copy to gradle/testing/policies/replicator-tests.policy
index 9cdfaa1..9508a04 100644
--- a/gradle/testing/policies/tests.policy
+++ b/gradle/testing/policies/replicator-tests.policy
@@ -33,10 +33,10 @@ grant {
// needed by SSD detection tests in TestIOUtils (creates symlinks)
permission java.nio.file.LinkPermission "symbolic";
-// needed by gson serialization of junit4 runner: TODO clean that up
+ // needed by randomizedtesting runner to identify test methods.
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
- // needed by junit4 runner to capture sysout/syserr:
+ // needed by certain tests to redirect sysout/syserr:
permission java.lang.RuntimePermission "setIO";
// needed by randomized runner to catch failures from other threads:
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
@@ -63,12 +63,16 @@ grant {
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
- // read access to all system properties:
+ // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
+ permission java.security.SecurityPermission "createAccessControlContext";
+
+ // read access to all system properties.
permission java.util.PropertyPermission "*", "read";
- // write access to only these:
- // locale randomization
+
+ // write access to only these.
+
+ // environment randomization
permission java.util.PropertyPermission "user.language", "write";
- // timezone randomization
permission java.util.PropertyPermission "user.timezone", "write";
// CMS randomization
@@ -78,10 +82,10 @@ grant {
// used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this
permission java.util.PropertyPermission "tests.runnested", "write";
- // solr properties. TODO: move these out to SolrTestCase
- permission java.util.PropertyPermission "solr.data.dir", "write";
- permission java.util.PropertyPermission "solr.solr.home", "write";
- permission java.util.PropertyPermission "solr.directoryFactory", "write";
+ // this section is replicator-specific (jetty)
+
+ // write access to all system properties
+ permission java.util.PropertyPermission "*", "write";
// replicator: jetty tests require some network permissions:
// all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
@@ -92,9 +96,6 @@ grant {
// SSL related properties for jetty
permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
-
- // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
- permission java.security.SecurityPermission "createAccessControlContext";
};
@@ -113,4 +114,4 @@ grant {
permission java.io.FilePermission "${gradle.worker.jar}", "read";
// Allow reading from classpath JARs (resources).
permission java.io.FilePermission "${gradle.user.home}${/}-", "read";
-};
+};
\ No newline at end of file
diff --git a/gradle/testing/policies/tests.policy b/gradle/testing/policies/tests.policy
index 9cdfaa1..f8a1af4 100644
--- a/gradle/testing/policies/tests.policy
+++ b/gradle/testing/policies/tests.policy
@@ -33,10 +33,10 @@ grant {
// needed by SSD detection tests in TestIOUtils (creates symlinks)
permission java.nio.file.LinkPermission "symbolic";
-// needed by gson serialization of junit4 runner: TODO clean that up
+ // needed by randomizedtesting runner to identify test methods.
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
- // needed by junit4 runner to capture sysout/syserr:
+ // needed by certain tests to redirect sysout/syserr:
permission java.lang.RuntimePermission "setIO";
// needed by randomized runner to catch failures from other threads:
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
@@ -63,12 +63,16 @@ grant {
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
- // read access to all system properties:
+ // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
+ permission java.security.SecurityPermission "createAccessControlContext";
+
+ // read access to all system properties.
permission java.util.PropertyPermission "*", "read";
- // write access to only these:
- // locale randomization
+
+ // write access to only these.
+
+ // environment randomization
permission java.util.PropertyPermission "user.language", "write";
- // timezone randomization
permission java.util.PropertyPermission "user.timezone", "write";
// CMS randomization
@@ -77,24 +81,6 @@ grant {
// used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this
permission java.util.PropertyPermission "tests.runnested", "write";
-
- // solr properties. TODO: move these out to SolrTestCase
- permission java.util.PropertyPermission "solr.data.dir", "write";
- permission java.util.PropertyPermission "solr.solr.home", "write";
- permission java.util.PropertyPermission "solr.directoryFactory", "write";
-
- // replicator: jetty tests require some network permissions:
- // all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
- permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
- permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
- permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";
-
- // SSL related properties for jetty
- permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
- permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
-
- // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
- permission java.security.SecurityPermission "createAccessControlContext";
};
diff --git a/gradle/testing/randomization.gradle b/gradle/testing/randomization.gradle
index 6df7ce6..bdbb157 100644
--- a/gradle/testing/randomization.gradle
+++ b/gradle/testing/randomization.gradle
@@ -157,11 +157,8 @@ allprojects {
// to each project's build/ configuration but it seems compact enough to keep it here for now.
if (Boolean.parseBoolean(testOptionsResolved["tests.useSecurityManager"])) {
if (project.path == ":lucene:replicator") {
- // systemProperty 'java.security.manager', "org.apache.lucene.util.TestSecurityManager"
- // systemProperty 'java.security.policy', file("${commonDir}/tools/junit4/replicator-tests.policy")
- doFirst {
- logger.log(LogLevel.WARN, "Running with security manager not implemented for: ${project.path}")
- }
+ systemProperty 'java.security.manager', "org.apache.lucene.util.TestSecurityManager"
+ systemProperty 'java.security.policy', rootProject.file("gradle/testing/policies/replicator-tests.policy")
} else if (project.path.startsWith(":lucene")) {
systemProperty 'java.security.manager', "org.apache.lucene.util.TestSecurityManager"
systemProperty 'java.security.policy', rootProject.file("gradle/testing/policies/tests.policy")