[rfc][icedtea-web] align Permission attibute behaviour to "expected" behaviour was: Re: status of Permissions attribute implementation

Andrew Azores aazores at redhat.com
Wed Jul 15 13:30:35 UTC 2015 

On 14/07/15 04:47 AM, Jiri Vanek wrote:
> Hello.Here is fix for the issues I spoted during heavyu testing of 
> Permissions attribute.
>
> run befor patch:
> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - opera
> Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - midori
> Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
> Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - opera
> FAILED: javawsAllPermNoSecurity(SandboxSignedSandboxTest) null
> FAILED: javawsAppletAllPermNoSecurity(SandboxSignedSandboxTest) null
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - midori
> Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
> Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
> Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
> Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
> FAILED: javawsAllPermNoSecurity(SandboxUnsignedAllPermTest) null
> FAILED: javawsAppletAllPermNoSecurity(SandboxUnsignedAllPermTest) null
> Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
> Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - epiphany
> Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
> Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
> Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - opera
> Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
> Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
> Total tests run: 56; From  those : 0 known to fail
> Test known to fail: passed: 0; failed: 0; ignored: 0
> Test results: passed: 52; failed: 4; ignored: 0
>
>
>
> run after patch:
> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - epiphany
> Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
> Passed: 
> SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - opera
> Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
> Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - epiphany
> Passed: SandboxSignedSandboxTest.javawsAllPermNoSecurity
> Passed: SandboxSignedSandboxTest.javawsAppletAllPermNoSecurity
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
> Passed: 
> SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - opera
> Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
> Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
> Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
> Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
> Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
> Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
> Passed: SandboxUnsignedAllPermTest.javawsAllPermNoSecurity
> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
> Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - opera
> Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
> Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
> Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
> Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
> Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - midori
> Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
> Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
> Total tests run: 56; From  those : 0 known to fail
> Test known to fail: passed: 0; failed: 0; ignored: 0
> Test results: passed: 56; failed: 0; ignored: 0
>
>
>
> So you can see how thsi was "test driven" so (for reviwer) watching 
> the tests is important.
>
> Attached are also full log.
>
> not sure whether backport to 1.5 ... thoughts?
>
>
> On 07/13/2015 05:38 PM, Jiri Vanek wrote:
>> Hi!
>>
>> http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20
>> http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions 
>>
>>
>> I have added reproducers for all possible cases of Permissions 
>> attribute usage:
>> High security (ASK_UNSIGNED)
>>   - have sense only when attribute is missing. Then user is asked 
>> whether to continue. Both signed
>> and unsigned javaws/applets
>>   - result is pass, itw behaves correctly.
>>    - whether it have sense to popup also for unsigned applets... 
>> Thats questionable. But I would say
>> yes, it is marking that something is wrong. (And Iwould turn to 
>> allow_unsigned anyway;)
>>
>> Low security (ALLOW_UNSIGNED)
>>    attribute have invalid value
>>     - always fail to start (ok)
>>
>>   Signed
>>    attribute missing
>>      run with all permissions as expected
>>    attribute have all-permissions value
>>      run with all permissions as expected
>>    attribute have sandbox value
>>      depends on jnlp requesting security/all-permissions element
>>       - if there is nothing like it, then app runs n sandbox
>>       - if jnlp is requesting, then we currently dont lunch. Thats a 
>> bug and should be fixed
>>        - two occurrences in 
>> http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119#l34.78
>>
>>   Unsigned
>>    attribute missing
>>      run in sandbox as expected
>>    attribute have all-permissions value
>>      - here is one disorder applet runs in sandbox, but jnlp file 
>> which is NOT requesting
>> permissions fails. IMho again bug.
>>      - two occurrences in 
>> http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20#l10.76
>>    attribute have sandbox value
>>      - if jnlp is requesting all-permissions, then fails
>>      - otherwise always run in sandbox
>>
>> Both bugs seems to have same cause. and should be fixed.
>>
>>
>>
>>
>> Motivation was report that this dialogue keep popuping for ever under 
>> some circumsatnces.
>> I was not able to reproduce it, and will negotiate with reporter.
>>
>>
>> I will do similar tests for all implemented manifest attributes.

Looks good. Backporting to 1.5 is probably a good idea as well.

-- 
Thanks,

Andrew Azores

More information about the distro-pkg-dev mailing list