[rfc][icedtea-web] align Permission attibute behaviour to "expected" behaviour was: Re: status of Permissions attribute implementation

Jiri Vanek jvanek at redhat.com
Tue Jul 14 08:47:08 UTC 2015 

Hello.Here is fix for the issues I spoted during heavyu testing of Permissions attribute.

run befor patch:
Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - opera
Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - midori
Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - opera
FAILED: javawsAllPermNoSecurity(SandboxSignedSandboxTest) null
FAILED: javawsAppletAllPermNoSecurity(SandboxSignedSandboxTest) null
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - midori
Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
FAILED: javawsAllPermNoSecurity(SandboxUnsignedAllPermTest) null
FAILED: javawsAppletAllPermNoSecurity(SandboxUnsignedAllPermTest) null
Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - epiphany
Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - opera
Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
Total tests run: 56; From  those : 0 known to fail
Test known to fail: passed: 0; failed: 0; ignored: 0
Test results: passed: 52; failed: 4; ignored: 0



run after patch:
Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - epiphany
Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - opera
Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - epiphany
Passed: SandboxSignedSandboxTest.javawsAllPermNoSecurity
Passed: SandboxSignedSandboxTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - opera
Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
Passed: SandboxUnsignedAllPermTest.javawsAllPermNoSecurity
Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - opera
Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - midori
Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
Total tests run: 56; From  those : 0 known to fail
Test known to fail: passed: 0; failed: 0; ignored: 0
Test results: passed: 56; failed: 0; ignored: 0



So you can see how thsi was "test driven" so (for reviwer) watching the tests is important.

Attached are also full log.

not sure whether backport to 1.5 ... thoughts?


On 07/13/2015 05:38 PM, Jiri Vanek wrote:
> Hi!
>
> http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20
> http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119
> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions
>
> I have added reproducers for all possible cases of Permissions attribute usage:
> High security (ASK_UNSIGNED)
>   - have sense only when attribute is missing. Then user is asked whether to continue. Both signed
> and unsigned javaws/applets
>   - result is pass, itw behaves correctly.
>    - whether it have sense to popup also for unsigned applets... Thats questionable. But I would say
> yes, it is marking that something is wrong. (And Iwould turn to allow_unsigned anyway;)
>
> Low security (ALLOW_UNSIGNED)
>    attribute have invalid value
>     - always fail to start (ok)
>
>   Signed
>    attribute missing
>      run with all permissions as expected
>    attribute have all-permissions value
>      run with all permissions as expected
>    attribute have sandbox value
>      depends on jnlp requesting security/all-permissions element
>       - if there is nothing like it, then app runs n sandbox
>       - if jnlp is requesting, then we currently dont lunch. Thats a bug and should be fixed
>        - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119#l34.78
>
>   Unsigned
>    attribute missing
>      run in sandbox as expected
>    attribute have all-permissions value
>      - here is one disorder applet runs in sandbox, but jnlp file which is NOT requesting
> permissions fails. IMho again bug.
>      - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20#l10.76
>    attribute have sandbox value
>      - if jnlp is requesting all-permissions, then fails
>      - otherwise always run in sandbox
>
> Both bugs seems to have same cause. and should be fixed.
>
>
>
>
> Motivation was report that this dialogue keep popuping for ever under some circumsatnces.
> I was not able to reproduce it, and will negotiate with reporter.
>
>
> I will do similar tests for all implemented manifest attributes.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: permissionsTuning.patch
Type: text/x-patch
Size: 3912 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150714/afedb08c/permissionsTuning-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patched.tar.gz
Type: application/x-gzip
Size: 160036 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150714/afedb08c/patched.tar-0001.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: original.tar.gz
Type: application/x-gzip
Size: 117183 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20150714/afedb08c/original.tar-0001.gz>

More information about the distro-pkg-dev mailing list