/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions copyright [year] [name of copyright owner]".
*
* Copyright 2014 ForgeRock AS.
*/
/**
* Tests that verify that the sandbox is functioning correctly. This test suite is abstract and expects individual
* language implementations to sub-class and provide the script engine. It further assumes that each script engine
* supports basic Java-style syntax for constructing objects and calling methods (true for Javascript and Groovy).
* <p/>
* <strong>Note:</strong> just because these tests pass, does not mean the sandbox is watertight! For example, if you
* white-list the java.lang.reflect.* classes then script authors have pretty much a free hand. So either only
* white-list exactly those classes that the script should have access to (and never white-list reflection or
* java.lang.Class) or run OpenAM with a SecurityManager enabled and an appropriate security policy in place.
*/
public abstract class AbstractSandboxTests {
public void setupEngine() {
// Set up very permissive whitelist, and then blacklist our one class
.build());
}
/**
* Convenience wrapper that constructs a program from the given lines of code and then evaluates it in the sandbox.
*/
@SuppressWarnings("unchecked")
}
return (T) result;
}
}
}
@Test
}
@Test
// Given
// When
// Then
}
@Test
// Given
// When
try {
fail("Sandbox failed to protect access to black-listed member");
} catch (ScriptException ex) {
// Then
}
}
}
@Test
try {
fail("Static method calls to black-listed classes should be forbidden.");
} catch (ScriptException ex) {
}
}
public static class Allowed {
private boolean dirty = false;
return fruit;
}
public void setDirty() {
dirty = true;
}
}
public static class ForbiddenFruit {
private static boolean danger = false;
private boolean dirty = false;
public void setDirty() {
dirty = true;
}
public static void dangerous() {
danger = true;
}
}
}