You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by dj...@apache.org on 2005/10/20 00:38:09 UTC

svn commit: r326736 - in /db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests: harness/RunTest.java util/derby_tests.policy

Author: djd
Date: Wed Oct 19 15:38:02 2005
New Revision: 326736

URL: http://svn.apache.org/viewcvs?rev=326736&view=rev
Log:
DERBY-615 Change the test harness to run tests with a security manager
by default, using the same mechanism as used to install a security manager
for the separate network server process.
The security manager is not installed when any of the following are true:

 noSecurityManager=true is in the <testname>_app.properties file

 JCC (DB2 Universal Driver) is the JDBC client - this is a short term restriction.

 Tests where useProcess=false, e.g. nist suite - this is a short term restriction.

Update the policy file to allow most remaining tests to run using a security manager.


Modified:
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java?rev=326736&r1=326735&r2=326736&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/harness/RunTest.java Wed Oct 19 15:38:02 2005
@@ -172,6 +172,14 @@
     static boolean lastTestFailed = false;
 
     static boolean isI18N = false;
+    
+    /**
+     * Run the test without a security manager. Hopefully
+     * should only be used in few cases. Though initially
+     * may be used to bypass problematic tests and get the
+     * remainder of the tests running with the security manager.
+     */
+    static boolean runWithoutSecurityManager;
 
     static InputStream isSed = null; // For test_sed.properties // Cliff
 
@@ -1116,6 +1124,7 @@
 		String uscdb = sp.getProperty("useCommonDB");
 		if (uscdb != null && uscdb.equals("true"))
 			useCommonDB = true;
+		
     }
 
     private static String createPropString()
@@ -1500,9 +1509,13 @@
 	                if (jvmflags.startsWith("-ms"))
 	                    jvmflags = "";
 	            }
-	        }	        
+	        }
 	        
-    		// Also check for supportfiles
+	        if (NetServer.isJCCConnection(framework)
+	        		|| "true".equalsIgnoreCase(ap.getProperty("noSecurityManager")))
+	        	runWithoutSecurityManager = true;
+	        
+   		// Also check for supportfiles
     		String suppFiles = ap.getProperty("supportfiles");
 			boolean copySupportFiles = ((suppFiles != null) && (suppFiles.length()>0));
 			boolean createExtDirs= new Boolean(ap.getProperty("useextdirs","false")).booleanValue();
@@ -2060,6 +2073,12 @@
                         +"="+encryptionAlgorithm+"\"");
         }
         jvm.setD(jvmProps);
+        
+        // set security properties
+        if (!runWithoutSecurityManager)
+            jvm.setSecurityProps();
+        else
+        	System.out.println("-- SecurityManager not installed --");
             
         Vector v = jvm.getCommandLine();
         if ( ij.startsWith("ij") )

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
URL: http://svn.apache.org/viewcvs/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=326736&r1=326735&r2=326736&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Wed Oct 19 15:38:02 2005
@@ -65,13 +65,57 @@
   
   // sane=true, jdbcapi/secureUsers1.sql
   permission java.io.FilePermission "${user.dir}${/}CloudLDAP.out", "write"; 
+
+};
+
+//
+// Permissions for the network client (derbyclient.jar)
+//
+grant codeBase "${csinfo.codejar}derbyclient.jar" {
+  permission java.net.SocketPermission "127.0.0.1", "connect,resolve";
+  permission java.net.SocketPermission "localhost", "connect,resolve";
+};
+
+//
+// Permissions for the tools (derbytools.jar)
+// Ideally this would be more secure, for now the
+// focus is on getting the engine & network server secure.
+//
+grant codeBase "${csinfo.codejar}derbytools.jar" {
+  // Access all properties using System.getProperties
+  permission java.util.PropertyPermission "*", "read, write";
+  
+  // Read all files under ${user.dir}
+  permission java.io.FilePermission "${user.dir}${/}-", "read";
+  
+  // ij needs permission to read the sql files in this jar
+  permission java.io.FilePermission "${csinfo.codedir}${/}derbyTesting.jar", "read";
+  
+  // sane=true, jdbcapi/secureUsers1.sql
+  permission java.io.FilePermission "${user.dir}${/}CloudLDAP.out", "write"; 
+};
+
+//
+// Permissions for the tests (derbyTesting.jar)
+// We are liberal here, it's not a goal to make the test harness
+// or tests secure.
+//
+grant codeBase "${csinfo.codejar}derbyTesting.jar" {
+  // Access all properties using System.getProperties
+  permission java.util.PropertyPermission "*", "read, write";
+  
+  // Access all files under ${user.dir}to write the test directory structure
+  permission java.io.FilePermission "${user.dir}${/}-", "read,write,delete"; 
+  
 };
 
 //
 // super-set of the jar permissions for running out of the classes directory
 //
 grant codeBase "${csinfo.codeclasses}" {
-
+  // Access all properties using System.getProperties
+  permission java.util.PropertyPermission "*", "read, write";
+  
   permission java.util.PropertyPermission "derby.*", "read";
   permission java.lang.RuntimePermission "createClassLoader";
    
@@ -80,11 +124,16 @@
   permission java.io.FilePermission "${derby.system.home}", "read";
   permission java.io.FilePermission "${derby.system.home}${/}-", "read, write, delete";
 
-  permission java.net.SocketPermission "127.0.0.1", "accept";
-  permission java.net.SocketPermission "localhost", "accept";
+  // combination of client and server side.
+  permission java.net.SocketPermission "127.0.0.1", "accept,connect,resolve";
+  permission java.net.SocketPermission "localhost", "accept,connect,resolve";
   permission java.net.SocketPermission "${csinfo.serverhost}", "accept";
-  permission java.net.SocketPermission "${csinfo.trustedhost}", "accept";   
+  permission java.net.SocketPermission "${csinfo.trustedhost}", "accept"; 
 
+  // Access all files under ${user.dir}to write the test directory structure
+  permission java.io.FilePermission "${user.dir}${/}-", "read,write,delete"; 
+  
+  
   // Import/export and other support files from these locations in tests
   permission java.io.FilePermission "${user.dir}${/}extin${/}*", "read";
   permission java.io.FilePermission "${user.dir}${/}extinout${/}*", "read, write";