/* * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ import java.io.IOException; import java.io.Serializable; import java.rmi.AlreadyBoundException; import java.rmi.MarshalledObject; import java.rmi.NotBoundException; import java.rmi.Remote; import java.rmi.RemoteException; import java.rmi.registry.LocateRegistry; import java.rmi.registry.Registry; import java.security.Security; import java.util.Objects; import org.testng.Assert; import org.testng.annotations.BeforeSuite; import org.testng.annotations.DataProvider; import org.testng.annotations.Test; /* * @test * @library /java/rmi/testlibrary * @build TestLibrary * @summary Test filters for the RMI Registry * @run testng/othervm RegistryFilterTest * @run testng/othervm * -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass;maxdepth=19 * -Dtest.maxdepth=19 * RegistryFilterTest * @run testng/othervm/policy=security.policy * -Djava.security.properties=${test.src}/java.security-extra1 * RegistryFilterTest */ public class RegistryFilterTest { private static Registry impl; private static int port; private static Registry registry; static final int REGISTRY_MAX_DEPTH = 20; static final int REGISTRY_MAX_ARRAY = 1_000_000; static final String registryFilter = System.getProperty("sun.rmi.registry.registryFilter", Security.getProperty("sun.rmi.registry.registryFilter")); /** * Data RMI Registry bind test. * - name * - Object * - true/false if object is blacklisted by a filter (implicit or explicit) * @return array of test data */ @DataProvider(name = "bindData") static Object[][] bindObjects() { Object[][] data = { { "byte[max]", new XX(new byte[REGISTRY_MAX_ARRAY]), false }, { "String", new XX("now is the time"), false}, { "String[3]", new XX(new String[3]), false}, { "Long[4]", new XX(new Long[4]), false }, { "Object[REGISTRY_MAX_ARRAY]", new XX(new Object[REGISTRY_MAX_ARRAY]), false }, { "rej-byte[toobig]", new XX(new byte[REGISTRY_MAX_ARRAY + 1]), true }, { "rej-Object[toobig]", new XX(new Object[REGISTRY_MAX_ARRAY + 1]), true }, { "rej-MarshalledObject", createMarshalledObject(), true }, { "rej-RejectableClass", new RejectableClass(), registryFilter != null}, }; return data; } static XX createMarshalledObject() { try { return new XX(new MarshalledObject<>(null)); } catch (IOException ioe) { return new XX(ioe); } } @BeforeSuite static void setupRegistry() { try { impl = TestLibrary.createRegistryOnEphemeralPort(); port = TestLibrary.getRegistryPort(impl); registry = LocateRegistry.getRegistry("localhost", port); } catch (RemoteException ex) { Assert.fail("initialization of registry", ex); } System.out.printf("RMI Registry filter: %s%n", registryFilter); } /* * Test registry rejects an object with the max array size + 1. */ @Test(dataProvider="bindData") public void simpleBind(String name, Remote obj, boolean blacklisted) throws RemoteException, AlreadyBoundException, NotBoundException { try { registry.bind(name, obj); Assert.assertFalse(blacklisted, "Registry filter did not reject (but should have) "); registry.unbind(name); } catch (Exception rex) { Assert.assertTrue(blacklisted, "Registry filter should not have rejected"); } } /* * Test registry rejects an object with a well known class * if blacklisted in the security properties. */ @Test public void simpleRejectableClass() throws RemoteException, AlreadyBoundException, NotBoundException { RejectableClass r1 = null; try { String name = "reject1"; r1 = new RejectableClass(); registry.bind(name, r1); registry.unbind(name); Assert.assertNull(registryFilter, "Registry filter should have rejected"); } catch (Exception rex) { Assert.assertNotNull(registryFilter, "Registry filter should not have rejected"); } } /* * Test registry does not reject an object with depth at the built-in limit. */ @Test public void simpleDepthBuiltinNonRejectable() throws RemoteException, AlreadyBoundException, NotBoundException { int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH); depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH); System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter); try { String name = "reject2"; DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride); registry.bind(name, r1); registry.unbind(name); } catch (Exception rex) { Assert.fail("Registry filter should not have rejected depth: " + depthOverride); } } /* * Test registry rejects an object with depth at the limit + 1. */ @Test public void simpleDepthRejectable() throws RemoteException, AlreadyBoundException, NotBoundException { int depthOverride = Integer.getInteger("test.maxdepth", REGISTRY_MAX_DEPTH); depthOverride = Math.min(depthOverride, REGISTRY_MAX_DEPTH); System.out.printf("overrideDepth: %d, filter: %s%n", depthOverride, registryFilter); try { String name = "reject3"; DepthRejectableClass r1 = DepthRejectableClass.create(depthOverride + 1); registry.bind(name, r1); Assert.fail("Registry filter should have rejected depth: " + depthOverride + 1); } catch (Exception rex) { // Rejection expected } } /** * A simple Serializable Remote object that is passed by value. * It and its contents are checked by the Registry serial filter. */ static class XX implements Serializable, Remote { private static final long serialVersionUID = 362498820763181265L; final Object obj; XX(Object obj) { this.obj = obj; } public String toString() { return super.toString() + "//" + Objects.toString(obj); } } /** * A simple Serializable Remote object that is passed by value. * It and its contents are checked by the Registry serial filter. */ static class RejectableClass implements Serializable, Remote { private static final long serialVersionUID = 362498820763181264L; RejectableClass() {} } /** * A simple Serializable Remote object that is passed by value. * It and its contents are checked by the Registry serial filter. */ static class DepthRejectableClass implements Serializable, Remote { private static final long serialVersionUID = 362498820763181264L; private final DepthRejectableClass next; private DepthRejectableClass(DepthRejectableClass next) { this.next = next; } static DepthRejectableClass create(int depth) { DepthRejectableClass next = new DepthRejectableClass(null); for (int i = 1; i < depth; i++) { next = new DepthRejectableClass(next); } return next; } } }