[rfc][icedtea-web] align Permission attibute behaviour to "expected" behaviour was: Re: status of Permissions attribute implementation

Jiri Vanek jvanek at redhat.com
Wed Jul 15 13:37:39 UTC 2015 

On 07/15/2015 03:30 PM, Andrew Azores wrote:
> On 14/07/15 04:47 AM, Jiri Vanek wrote:
>> Hello.Here is fix for the issues I spoted during heavyu testing of Permissions attribute.
>>
>> run befor patch:
>> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - opera
>> Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
>> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - midori
>> Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - opera
>> FAILED: javawsAllPermNoSecurity(SandboxSignedSandboxTest) null
>> FAILED: javawsAppletAllPermNoSecurity(SandboxSignedSandboxTest) null
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
>> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - midori
>> Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
>> Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
>> FAILED: javawsAllPermNoSecurity(SandboxUnsignedAllPermTest) null
>> FAILED: javawsAppletAllPermNoSecurity(SandboxUnsignedAllPermTest) null
>> Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - epiphany
>> Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - opera
>> Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
>> Total tests run: 56; From  those : 0 known to fail
>> Test known to fail: passed: 0; failed: 0; ignored: 0
>> Test results: passed: 52; failed: 4; ignored: 0
>>
>>
>>
>> run after patch:
>> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedInvalidTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedInvalidTest.appletAllPermAllSecurity - epiphany
>> Passed: SandboxUnsignedInvalidTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedInvalidTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
>> Passed: SandboxUnsignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
>> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedSandboxTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedSandboxTest.appletAllPermAllSecurity - opera
>> Passed: SandboxUnsignedSandboxTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedSandboxTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedSandboxTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedSandboxTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedSandboxTest.appletAllPermAllSecurity - epiphany
>> Passed: SandboxSignedSandboxTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedSandboxTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermNoSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermNoSecurityNo
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAppletAllPermAllSecurityYes
>> Passed: SandboxSignedMissingTestHighSecurity.javawsAllPermAllSecurityYes
>> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedMissingTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedMissingTest.appletAllPermAllSecurity - opera
>> Passed: SandboxUnsignedMissingTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedMissingTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedMissingTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedMissingTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedMissingTest.appletAllPermAllSecurity - midori
>> Passed: SandboxSignedMissingTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedMissingTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxUnsignedAllPermTest.javawsAllPermAllSecurity
>> Passed: SandboxUnsignedAllPermTest.appletAllPermAllSecurity - midori
>> Passed: SandboxUnsignedAllPermTest.javawsAllPermNoSecurity
>> Passed: SandboxUnsignedAllPermTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedAllPermTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedAllPermTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedAllPermTest.appletAllPermAllSecurity - opera
>> Passed: SandboxSignedAllPermTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedAllPermTest.javawsAppletAllPermNoSecurity
>> Passed: SandboxSignedInvalidTest.javawsAppletAllPermAllSecurity
>> Passed: SandboxSignedInvalidTest.javawsAllPermAllSecurity
>> Passed: SandboxSignedInvalidTest.appletAllPermAllSecurity - midori
>> Passed: SandboxSignedInvalidTest.javawsAllPermNoSecurity
>> Passed: SandboxSignedInvalidTest.javawsAppletAllPermNoSecurity
>> Total tests run: 56; From  those : 0 known to fail
>> Test known to fail: passed: 0; failed: 0; ignored: 0
>> Test results: passed: 56; failed: 0; ignored: 0
>>
>>
>>
>> So you can see how thsi was "test driven" so (for reviwer) watching the tests is important.
>>
>> Attached are also full log.
>>
>> not sure whether backport to 1.5 ... thoughts?
>>
>>
>> On 07/13/2015 05:38 PM, Jiri Vanek wrote:
>>> Hi!
>>>
>>> http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20
>>> http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions
>>>
>>> I have added reproducers for all possible cases of Permissions attribute usage:
>>> High security (ASK_UNSIGNED)
>>>   - have sense only when attribute is missing. Then user is asked whether to continue. Both signed
>>> and unsigned javaws/applets
>>>   - result is pass, itw behaves correctly.
>>>    - whether it have sense to popup also for unsigned applets... Thats questionable. But I would say
>>> yes, it is marking that something is wrong. (And Iwould turn to allow_unsigned anyway;)
>>>
>>> Low security (ALLOW_UNSIGNED)
>>>    attribute have invalid value
>>>     - always fail to start (ok)
>>>
>>>   Signed
>>>    attribute missing
>>>      run with all permissions as expected
>>>    attribute have all-permissions value
>>>      run with all permissions as expected
>>>    attribute have sandbox value
>>>      depends on jnlp requesting security/all-permissions element
>>>       - if there is nothing like it, then app runs n sandbox
>>>       - if jnlp is requesting, then we currently dont lunch. Thats a bug and should be fixed
>>>        - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119#l34.78
>>>
>>>   Unsigned
>>>    attribute missing
>>>      run in sandbox as expected
>>>    attribute have all-permissions value
>>>      - here is one disorder applet runs in sandbox, but jnlp file which is NOT requesting
>>> permissions fails. IMho again bug.
>>>      - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20#l10.76
>>>    attribute have sandbox value
>>>      - if jnlp is requesting all-permissions, then fails
>>>      - otherwise always run in sandbox
>>>
>>> Both bugs seems to have same cause. and should be fixed.
>>>
>>>
>>>
>>>
>>> Motivation was report that this dialogue keep popuping for ever under some circumsatnces.
>>> I was not able to reproduce it, and will negotiate with reporter.
>>>
>>>
>>> I will do similar tests for all implemented manifest attributes.
>
> Looks good.

really???

> Backporting to 1.5 is probably a good idea as well.

I'm not sure....  I will backport tests first and see how they behave here...

I was still not yet confiremd the strange "always popuping" ehaviour of permissions attribute...
>


Thanx for check!

J.

More information about the distro-pkg-dev mailing list