You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by dj...@apache.org on 2005/10/20 00:38:09 UTC
svn commit: r326736 - in
/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests:
harness/RunTest.java util/derby_tests.policy
Author: djd
Date: Wed Oct 19 15:38:02 2005
New Revision: 326736
URL: http://svn.apache.org/viewcvs?rev=326736&view=rev
Log:
DERBY-615 Change the test harness to run tests with a security manager
by default, using the same mechanism as used to install a security manager
for the separate network server process.
The security manager is not installed when any of the following are true:
noSecurityManager=true is in the <testname>_app.properties file
JCC (DB2 Universal Driver) is the JDBC client - this is a short term restriction.
Tests where useProcess=false, e.g. nist suite - this is a short term restriction.
Update the policy file to allow most remaining tests to run using a security manager.
Modified:
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java?rev=326736&r1=326735&r2=326736&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java Wed Oct 19 15:38:02 2005
@@ -172,6 +172,14 @@
static boolean lastTestFailed = false;
static boolean isI18N = false;
+
+ /**
+ * Run the test without a security manager. Hopefully
+ * should only be used in few cases. Though initially
+ * may be used to bypass problematic tests and get the
+ * remainder of the tests running with the security manager.
+ */
+ static boolean runWithoutSecurityManager;
static InputStream isSed = null; // For test_sed.properties // Cliff
@@ -1116,6 +1124,7 @@
String uscdb = sp.getProperty("useCommonDB");
if (uscdb != null && uscdb.equals("true"))
useCommonDB = true;
+
}
private static String createPropString()
@@ -1500,9 +1509,13 @@
if (jvmflags.startsWith("-ms"))
jvmflags = "";
}
- }
+ }
- // Also check for supportfiles
+ if (NetServer.isJCCConnection(framework)
+ || "true".equalsIgnoreCase(ap.getProperty("noSecurityManager")))
+ runWithoutSecurityManager = true;
+
+ // Also check for supportfiles
String suppFiles = ap.getProperty("supportfiles");
boolean copySupportFiles = ((suppFiles != null) && (suppFiles.length()>0));
boolean createExtDirs= new Boolean(ap.getProperty("useextdirs","false")).booleanValue();
@@ -2060,6 +2073,12 @@
+"="+encryptionAlgorithm+"\"");
}
jvm.setD(jvmProps);
+
+ // set security properties
+ if (!runWithoutSecurityManager)
+ jvm.setSecurityProps();
+ else
+ System.out.println("-- SecurityManager not installed --");
Vector v = jvm.getCommandLine();
if ( ij.startsWith("ij") )
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=326736&r1=326735&r2=326736&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Wed Oct 19 15:38:02 2005
@@ -65,13 +65,57 @@
// sane=true, jdbcapi/secureUsers1.sql
permission java.io.FilePermission "${user.dir}${/}CloudLDAP.out", "write";
+
+};
+
+//
+// Permissions for the network client (derbyclient.jar)
+//
+grant codeBase "${csinfo.codejar}derbyclient.jar" {
+ permission java.net.SocketPermission "127.0.0.1", "connect,resolve";
+ permission java.net.SocketPermission "localhost", "connect,resolve";
+};
+
+//
+// Permissions for the tools (derbytools.jar)
+// Ideally this would be more secure, for now the
+// focus is on getting the engine & network server secure.
+//
+grant codeBase "${csinfo.codejar}derbytools.jar" {
+ // Access all properties using System.getProperties
+ permission java.util.PropertyPermission "*", "read, write";
+
+ // Read all files under ${user.dir}
+ permission java.io.FilePermission "${user.dir}${/}-", "read";
+
+ // ij needs permission to read the sql files in this jar
+ permission java.io.FilePermission "${csinfo.codedir}${/}derbyTesting.jar", "read";
+
+ // sane=true, jdbcapi/secureUsers1.sql
+ permission java.io.FilePermission "${user.dir}${/}CloudLDAP.out", "write";
+};
+
+//
+// Permissions for the tests (derbyTesting.jar)
+// We are liberal here, it's not a goal to make the test harness
+// or tests secure.
+//
+grant codeBase "${csinfo.codejar}derbyTesting.jar" {
+ // Access all properties using System.getProperties
+ permission java.util.PropertyPermission "*", "read, write";
+
+ // Access all files under ${user.dir}to write the test directory structure
+ permission java.io.FilePermission "${user.dir}${/}-", "read,write,delete";
+
};
//
// super-set of the jar permissions for running out of the classes directory
//
grant codeBase "${csinfo.codeclasses}" {
-
+ // Access all properties using System.getProperties
+ permission java.util.PropertyPermission "*", "read, write";
+
permission java.util.PropertyPermission "derby.*", "read";
permission java.lang.RuntimePermission "createClassLoader";
@@ -80,11 +124,16 @@
permission java.io.FilePermission "${derby.system.home}", "read";
permission java.io.FilePermission "${derby.system.home}${/}-", "read, write, delete";
- permission java.net.SocketPermission "127.0.0.1", "accept";
- permission java.net.SocketPermission "localhost", "accept";
+ // combination of client and server side.
+ permission java.net.SocketPermission "127.0.0.1", "accept,connect,resolve";
+ permission java.net.SocketPermission "localhost", "accept,connect,resolve";
permission java.net.SocketPermission "${csinfo.serverhost}", "accept";
- permission java.net.SocketPermission "${csinfo.trustedhost}", "accept";
+ permission java.net.SocketPermission "${csinfo.trustedhost}", "accept";
+ // Access all files under ${user.dir}to write the test directory structure
+ permission java.io.FilePermission "${user.dir}${/}-", "read,write,delete";
+
+
// Import/export and other support files from these locations in tests
permission java.io.FilePermission "${user.dir}${/}extin${/}*", "read";
permission java.io.FilePermission "${user.dir}${/}extinout${/}*", "read, write";