mirror of https://github.com/apache/lucene.git
LUCENE-6238: minimize tests.policy
git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1662254 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
0e505bcc00
commit
8cfb3a9398
|
@ -31,7 +31,7 @@ public class TestFilesystemResourceLoader extends LuceneTestCase {
|
|||
|
||||
private void assertNotFound(ResourceLoader rl) throws Exception {
|
||||
try {
|
||||
IOUtils.closeWhileHandlingException(rl.openResource("/this-directory-really-really-really-should-not-exist/foo/bar.txt"));
|
||||
IOUtils.closeWhileHandlingException(rl.openResource("this-directory-really-really-really-should-not-exist/foo/bar.txt"));
|
||||
fail("The resource does not exist, should fail!");
|
||||
} catch (IOException ioe) {
|
||||
// pass
|
||||
|
|
|
@ -80,7 +80,7 @@ public class BasicAEProvider implements AEProvider {
|
|||
private XMLInputSource getInputSource() throws IOException {
|
||||
try {
|
||||
return new XMLInputSource(aePath);
|
||||
} catch (IOException e) {
|
||||
} catch (Exception e) {
|
||||
return new XMLInputSource(getClass().getResource(aePath));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -125,6 +125,7 @@
|
|||
<property name="tests.filterstacks" value="true"/>
|
||||
<property name="tests.luceneMatchVersion" value="${version.base}"/>
|
||||
<property name="tests.asserts" value="true" />
|
||||
<property name="tests.policy" location="${common.dir}/tools/junit4/tests.policy"/>
|
||||
|
||||
<condition property="tests.asserts.args" value="-ea -esa" else="">
|
||||
<istrue value="${tests.asserts}"/>
|
||||
|
@ -1012,11 +1013,12 @@
|
|||
|
||||
<!-- Restrict access to certain Java features and install security manager: -->
|
||||
<sysproperty key="junit4.tempDir" file="@{workDir}/temp" />
|
||||
<sysproperty key="common.dir" file="${common.dir}" />
|
||||
<sysproperty key="clover.db.dir" file="${clover.db.dir}" />
|
||||
<syspropertyset>
|
||||
<propertyref prefix="java.security.manager"/>
|
||||
</syspropertyset>
|
||||
<sysproperty key="java.security.policy" file="${common.dir}/tools/junit4/tests.policy" />
|
||||
<sysproperty key="java.security.policy" file="${tests.policy}" />
|
||||
|
||||
<sysproperty key="tests.LUCENE_VERSION" value="${version.base}"/>
|
||||
|
||||
|
@ -2501,7 +2503,7 @@ The following arguments can be provided to ant to alter its behaviour and target
|
|||
|
||||
<junit4:pickseed property="pitest.seed" />
|
||||
|
||||
<property name="pitest.sysprops" value="-Dversion=${version},-Dtest.seed=${pitest.seed},-Djava.security.manager=org.apache.lucene.util.TestSecurityManager,-Djava.security.policy=${common.dir}/tools/junit4/tests.policy,-Djava.io.tmpdir=${tests.workDir},-Djunit4.childvm.cwd=${tests.workDir},-Djunit4.tempDir=${tests.workDir}" />
|
||||
<property name="pitest.sysprops" value="-Dversion=${version},-Dtest.seed=${pitest.seed},-Djava.security.manager=org.apache.lucene.util.TestSecurityManager,-Djava.security.policy=${tests.policy},-Djava.io.tmpdir=${tests.workDir},-Djunit4.childvm.cwd=${tests.workDir},-Djunit4.tempDir=${tests.workDir}" />
|
||||
|
||||
<pitest
|
||||
classPath="pitest.classpath"
|
||||
|
|
|
@ -215,7 +215,7 @@ public class TestIOUtils extends LuceneTestCase {
|
|||
@Override
|
||||
public void checkAccess(Path path, AccessMode... modes) throws IOException {
|
||||
// TODO: kinda screwed up how we do this, but it's easy to get lost. just unravel completely.
|
||||
delegate.checkAccess(FilterPath.unwrap(path), modes);
|
||||
delegate.checkAccess(maybeChroot(FilterPath.unwrap(path)), modes);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -0,0 +1,90 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
// Policy file to prevent tests from writing outside the test sandbox directory
|
||||
// (must be given as a sysprop: tests.sandbox.dir)
|
||||
// This policy also disallows stuff like listening on network ports of interfaces
|
||||
// different than 127.0.0.1.
|
||||
|
||||
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
|
||||
// everything not allowed here is forbidden!
|
||||
|
||||
grant {
|
||||
// permissions for file access, write access only to sandbox:
|
||||
permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
|
||||
|
||||
// all possibilities of accepting/binding connections on localhost with ports >=1024:
|
||||
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
|
||||
permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
|
||||
permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
|
||||
|
||||
// This is a special case, because the network config of the ASF Jenkins server is broken,
|
||||
// see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
|
||||
permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
|
||||
|
||||
// Allow connecting to the internet anywhere
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
|
||||
// Basic permissions needed for Lucene to work:
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
permission java.lang.reflect.ReflectPermission "*";
|
||||
permission java.lang.RuntimePermission "*";
|
||||
|
||||
// These two *have* to be spelled out a separate
|
||||
permission java.lang.management.ManagementPermission "control";
|
||||
permission java.lang.management.ManagementPermission "monitor";
|
||||
|
||||
// Solr needs those:
|
||||
permission java.net.NetPermission "*";
|
||||
permission java.sql.SQLPermission "*";
|
||||
permission java.util.logging.LoggingPermission "control";
|
||||
permission javax.management.MBeanPermission "*", "*";
|
||||
permission javax.management.MBeanServerPermission "*";
|
||||
permission javax.management.MBeanTrustPermission "*";
|
||||
permission javax.security.auth.AuthPermission "*";
|
||||
permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
|
||||
permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
|
||||
permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
|
||||
permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
|
||||
|
||||
// TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
|
||||
permission java.security.SecurityPermission "putProviderProperty.BC";
|
||||
permission java.security.SecurityPermission "insertProvider.BC";
|
||||
|
||||
// Needed for some things in DNS caching in the JVM
|
||||
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
|
||||
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
|
||||
|
||||
// SSL related properties for Solr tests
|
||||
permission java.security.SecurityPermission "getProperty.ssl.*";
|
||||
|
||||
// SASL/Kerberos related properties for Solr tests
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
|
||||
|
||||
// may only be necessary with Java 7?
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
|
||||
permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
|
||||
|
||||
permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
|
||||
permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
|
||||
permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
|
||||
};
|
|
@ -15,76 +15,71 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
// Policy file to prevent tests from writing outside the test sandbox directory
|
||||
// (must be given as a sysprop: tests.sandbox.dir)
|
||||
// This policy also disallows stuff like listening on network ports of interfaces
|
||||
// different than 127.0.0.1.
|
||||
|
||||
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
|
||||
// everything not allowed here is forbidden!
|
||||
// Policy file for lucene tests. Please keep minimal and avoid wildcards.
|
||||
|
||||
grant {
|
||||
// permissions for file access, write access only to sandbox:
|
||||
permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
|
||||
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
|
||||
// contain read access to only what we need:
|
||||
// 3rd party jar resources (where symlinks are not supported), test-files/ resources
|
||||
permission java.io.FilePermission "${common.dir}${/}-", "read";
|
||||
// 3rd party jar resources (where symlinks are supported)
|
||||
permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
|
||||
// system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
|
||||
permission java.io.FilePermission "${java.home}${/}-", "read,execute";
|
||||
// should be enclosed within common.dir, but just in case:
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
|
||||
|
||||
// write only to sandbox
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
|
||||
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
|
||||
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
|
||||
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
|
||||
|
||||
// needed by gson serialization of junit4 runner: TODO clean that up
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
||||
// needed by junit4 runner to capture sysout/syserr:
|
||||
permission java.lang.RuntimePermission "setIO";
|
||||
// needed by randomized runner to catch failures from other threads:
|
||||
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
|
||||
// needed by randomized runner getTopThreadGroup:
|
||||
permission java.lang.RuntimePermission "modifyThreadGroup";
|
||||
// needed by tests e.g. shutting down executors:
|
||||
permission java.lang.RuntimePermission "modifyThread";
|
||||
// needed for tons of test hacks etc
|
||||
permission java.lang.RuntimePermission "getStackTrace";
|
||||
// needed for mock filesystems in tests
|
||||
permission java.lang.RuntimePermission "fileSystemProvider";
|
||||
// needed for mock filesystems in tests (to capture implCloseChannel)
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
||||
// needed by junit nested compat tests (due to static fields reflection), TODO clean these up:
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.locale";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.fs";
|
||||
// needed for test of IOUtils.spins (maybe it can be avoided)
|
||||
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
||||
// analyzers/morfologik: needed for a horrible context classloader hack for solr in morfologikfilter: nuke this
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
// analyzers/uima: needed by UIMA message localization... (?)
|
||||
permission java.lang.RuntimePermission "createSecurityManager";
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
// needed to test unmap hack on platforms that support it
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
|
||||
|
||||
// all possibilities of accepting/binding connections on localhost with ports >=1024:
|
||||
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
|
||||
permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
|
||||
permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
|
||||
// read access to all system properties:
|
||||
// needed by junit4 BootstrapEvent (it calls System.getProperties, used by ant xml reporting?)
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
|
||||
// replicator: jetty tests require some network permissions:
|
||||
// all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
|
||||
permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
|
||||
permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
|
||||
permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";
|
||||
|
||||
// This is a special case, because the network config of the ASF Jenkins server is broken,
|
||||
// see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
|
||||
permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
|
||||
|
||||
// Allow connecting to the internet anywhere
|
||||
permission java.net.SocketPermission "*", "connect,resolve";
|
||||
|
||||
// Basic permissions needed for Lucene to work:
|
||||
permission java.util.PropertyPermission "*", "read,write";
|
||||
permission java.lang.reflect.ReflectPermission "*";
|
||||
permission java.lang.RuntimePermission "*";
|
||||
permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen,connect,resolve";
|
||||
|
||||
// These two *have* to be spelled out a separate
|
||||
permission java.lang.management.ManagementPermission "control";
|
||||
permission java.lang.management.ManagementPermission "monitor";
|
||||
|
||||
// Solr needs those:
|
||||
permission java.net.NetPermission "*";
|
||||
permission java.sql.SQLPermission "*";
|
||||
permission java.util.logging.LoggingPermission "control";
|
||||
permission javax.management.MBeanPermission "*", "*";
|
||||
permission javax.management.MBeanServerPermission "*";
|
||||
permission javax.management.MBeanTrustPermission "*";
|
||||
permission javax.security.auth.AuthPermission "*";
|
||||
permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
|
||||
permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
|
||||
permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
|
||||
permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
|
||||
|
||||
// TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
|
||||
permission java.security.SecurityPermission "putProviderProperty.BC";
|
||||
permission java.security.SecurityPermission "insertProvider.BC";
|
||||
|
||||
// Needed for some things in DNS caching in the JVM
|
||||
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
|
||||
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
|
||||
|
||||
// SSL related properties for Solr tests
|
||||
permission java.security.SecurityPermission "getProperty.ssl.*";
|
||||
|
||||
// SASL/Kerberos related properties for Solr tests
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
|
||||
|
||||
// may only be necessary with Java 7?
|
||||
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
|
||||
permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
|
||||
|
||||
permission javax.security.auth.kerberos.ServicePermission "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";
|
||||
permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "initiate";
|
||||
permission javax.security.auth.kerberos.ServicePermission "zookeeper/127.0.0.1@EXAMPLE.COM", "accept";
|
||||
// SSL related properties for jetty
|
||||
permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
|
||||
permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";
|
||||
};
|
||||
|
|
|
@ -38,6 +38,7 @@
|
|||
<property name="maven.dist.dir" location="${package.dir}/maven"/>
|
||||
<property name="lucene-libs" location="${dest}/lucene-libs" />
|
||||
<property name="tests.userdir" location="src/test-files"/>
|
||||
<property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
|
||||
<property name="server.dir" location="${common-solr.dir}/server" />
|
||||
<property name="example" location="${common-solr.dir}/example" />
|
||||
<property name="javadoc.dir" location="${dest}/docs"/>
|
||||
|
|
Loading…
Reference in New Issue