1
/*
2
 * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
import java.net.URLPermission;
25
/*
26
 * @test
27
 * @bug 8010464
28
 * @modules jdk.httpserver
29
 * @library /test/lib
30
 * @build jdk.test.lib.net.SimpleSSLContext
31
 * @run main/othervm -Djava.security.manager=allow URLTest
32
 * @run main/othervm -Djava.security.manager=allow -Djava.net.preferIPv6Addresses=true URLTest
33
 * @summary check URLPermission with Http(s)URLConnection
34
 */
35

36
import java.net.*;
37
import java.io.*;
38
import java.security.*;
39
import java.util.concurrent.*;
40
import com.sun.net.httpserver.*;
41
import javax.net.ssl.*;
42
import jdk.test.lib.net.SimpleSSLContext;
43

44
public class URLTest {
45

46
    static boolean failed;
47

48
    public static void main (String[] args) throws Exception {
49
        createServers();
50

51
        try {
52
            // Verify without a Security Manager
53
            test1();
54
            test2();
55
            test3();
56

57
            // Set the security manager. Each test will set its own policy.
58
            Policy.setPolicy(new CustomPolicy());
59
            System.setSecurityManager(new SecurityManager());
60
            System.out.println("\n Security Manager has been set.");
61

62
            test1();
63
            test2();
64
            test3();
65

66
            if (failed)
67
                throw new RuntimeException("Test failed");
68
        } finally {
69
            shutdown();
70
        }
71
    }
72

73
    static void test1() throws IOException {
74
        System.out.println("\n--- Test 1 ---");
75

76
        boolean expectException = false;
77
        SecurityManager sm = System.getSecurityManager();
78
        if (sm != null) {
79
            expectException = true;
80
            Policy.setPolicy(new CustomPolicy(
81
                new URLPermission("http://" + httpAuth + "/foo.html", "GET:X-Foo,Z-Bar"),
82
                new URLPermission("https://" + httpsAuth + "/foo.html", "POST:X-Fob,T-Bar")));
83
        }
84

85
        String url1 = "http://" + httpAuth + "/foo.html";
86
        String url2 = "https://" + httpsAuth + "/foo.html";
87
        String url3 = "http://" + httpAuth + "/bar.html";
88
        String url4 = "https://" + httpsAuth + "/bar.html";
89

90
        // simple positive test. Should succeed
91
        test(url1, "GET", "X-Foo");
92
        test(url1, "GET", "Z-Bar", "X-Foo");
93
        test(url1, "GET", "X-Foo", "Z-Bar");
94
        test(url1, "GET", "Z-Bar");
95
        test(url2, "POST", "X-Fob");
96

97
        // reverse the methods, should fail
98
        test(url1, "POST", "X-Foo", expectException);
99
        test(url2, "GET", "X-Fob", expectException);
100

101
        // different URLs, should fail
102
        test(url3, "GET", "X-Foo", expectException);
103
        test(url4, "POST", "X-Fob", expectException);
104
    }
105

106
    static void test2() throws IOException {
107
        System.out.println("\n--- Test 2 ---");
108

109
        SecurityManager sm = System.getSecurityManager();
110
        if (sm != null) {
111
            Policy.setPolicy(new CustomPolicy(
112
                new URLPermission("http://" + httpAuth + "/*", "GET:X-Foo"),
113
                new URLPermission("https://" + httpsAuth + "/*", "POST:X-Fob")));
114
        }
115

116
        String url1 = "http://" + httpAuth + "/foo.html";
117
        String url2 = "https://" + httpsAuth + "/foo.html";
118
        String url3 = "http://" + httpAuth + "/bar.html";
119
        String url4 = "https://" + httpsAuth + "/bar.html";
120

121
        // simple positive test. Should succeed
122
        test(url1, "GET", "X-Foo");
123
        test(url2, "POST", "X-Fob");
124
        test(url3, "GET", "X-Foo");
125
        test(url4, "POST", "X-Fob");
126
    }
127

128
    static void test3() throws IOException {
129
        System.out.println("\n--- Test 3 ---");
130

131
        boolean expectException = false;
132
        SecurityManager sm = System.getSecurityManager();
133
        if (sm != null) {
134
            expectException = true;
135
            Policy.setPolicy(new CustomPolicy(
136
                new URLPermission("http://" + httpAuth + "/a/b/-", "DELETE,GET:X-Foo,Y-Foo"),
137
                new URLPermission("https://" + httpsAuth + "/a/c/-", "POST:*")));
138
        }
139

140
        String url1 = "http://" + httpAuth + "/foo.html";
141
        String url2 = "https://" + httpsAuth + "/a/c/d/e/foo.html";
142
        String url3 = "http://" + httpAuth + "/a/b/c";
143
        String url4 = "https://" + httpsAuth + "/a/b/c";
144

145
        test(url1, "GET", "X-Foo", expectException);
146
        test(url2, "POST", "X-Zxc");
147
        test(url3, "DELETE", "Y-Foo");
148
        test(url4, "POST", "Y-Foo", expectException);
149
    }
150

151
    static String authority(InetSocketAddress address) {
152
        String hostaddr = address.getAddress().getHostAddress();
153
        int port = address.getPort();
154
        if (hostaddr.indexOf(':') > -1) {
155
            return "[" + hostaddr + "]:" + port;
156
        } else {
157
            return hostaddr + ":" + port;
158
        }
159
    }
160

161
    // Convenience methods to simplify previous explicit test scenarios.
162
    static void test(String u, String method, String header) throws IOException {
163
        test(u, method, header, null, false);
164
    }
165

166
    static void test(String u, String method, String header, boolean expectException)
167
        throws IOException
168
    {
169
        test(u, method, header, null, expectException);
170
    }
171

172
    static void test(String u, String method, String header1, String header2)
173
        throws IOException
174
    {
175
        test(u, method, header1, header2, false);
176
    }
177

178
    static void test(String u,
179
                     String method,
180
                     String header1,
181
                     String header2,
182
                     boolean expectException)
183
        throws IOException
184
    {
185
        URL url = new URL(u);
186
        System.out.println("url=" + u + " method=" + method +
187
                           " header1=" + header1 + " header2=" + header2 +
188
                           " expectException=" + expectException);
189
        HttpURLConnection urlc = (HttpURLConnection)url.openConnection(Proxy.NO_PROXY);
190
        if (urlc instanceof HttpsURLConnection) {
191
            HttpsURLConnection ssl = (HttpsURLConnection)urlc;
192
            ssl.setHostnameVerifier((host, sess) -> true);
193
            ssl.setSSLSocketFactory(ctx.getSocketFactory());
194
        }
195
        urlc.setRequestMethod(method);
196
        if (header1 != null)
197
            urlc.addRequestProperty(header1, "foo");
198
        if (header2 != null)
199
            urlc.addRequestProperty(header2, "bar");
200

201
        try {
202
            int code = urlc.getResponseCode();
203
            if (expectException) {
204
                failed = true;
205
                System.out.println("FAIL");
206
                return;
207
            }
208
            if (code != 200)
209
                throw new RuntimeException("Unexpected response " + code);
210

211
            InputStream is = urlc.getInputStream();
212
            is.readAllBytes();
213
            is.close();
214
        } catch (RuntimeException e) {
215
            if (!expectException || !(e.getCause() instanceof SecurityException)) {
216
                System.out.println ("FAIL. Unexpected: " + e.getMessage());
217
                e.printStackTrace();
218
                failed = true;
219
                return;
220
            } else {
221
                System.out.println("Got expected exception: " + e.getMessage());
222
            }
223
        }
224
        System.out.println ("PASS");
225
    }
226

227
    static HttpServer httpServer;
228
    static HttpsServer httpsServer;
229
    static HttpContext c, cs;
230
    static ExecutorService e, es;
231
    static SSLContext ctx;
232
    static int httpPort;
233
    static int httpsPort;
234
    static String httpAuth;
235
    static String httpsAuth;
236

237
    static void createServers() throws Exception {
238
        InetAddress loopback = InetAddress.getLoopbackAddress();
239
        InetSocketAddress address = new InetSocketAddress(loopback, 0);
240
        httpServer = HttpServer.create(address, 0);
241
        httpsServer = HttpsServer.create(address, 0);
242

243
        OkHandler h = new OkHandler();
244

245
        c = httpServer.createContext("/", h);
246
        cs = httpsServer.createContext("/", h);
247
        e = Executors.newCachedThreadPool();
248
        es = Executors.newCachedThreadPool();
249
        httpServer.setExecutor(e);
250
        httpsServer.setExecutor(es);
251

252
        ctx = new SimpleSSLContext().get();
253
        httpsServer.setHttpsConfigurator(new HttpsConfigurator (ctx));
254

255
        httpServer.start();
256
        httpsServer.start();
257

258
        httpPort = httpServer.getAddress().getPort();
259
        httpsPort = httpsServer.getAddress().getPort();
260
        httpAuth = authority(httpServer.getAddress());
261
        httpsAuth = authority(httpsServer.getAddress());
262
    }
263

264
    static void shutdown() {
265
        httpServer.stop(1);
266
        httpsServer.stop(1);
267
        e.shutdown();
268
        es.shutdown();
269
    }
270

271
    static class OkHandler implements HttpHandler {
272
        public void handle(HttpExchange x) throws IOException {
273
            x.sendResponseHeaders(200, -1);
274
            x.close();
275
        }
276
    }
277

278
    static class CustomPolicy extends Policy {
279
        static final Policy DEFAULT_POLICY = Policy.getPolicy();
280
        final PermissionCollection perms = new Permissions();
281

282
        CustomPolicy(Permission... permissions) {
283
            java.util.Arrays.stream(permissions).forEach(perms::add);
284

285
            // needed for the HTTP(S) server
286
            InetAddress loopback = InetAddress.getLoopbackAddress();
287
            InetSocketAddress serverBound = new InetSocketAddress(loopback,1024);
288
            perms.add(new SocketPermission(authority(serverBound) + "-", "listen,resolve,accept"));
289
            // needed by the test to reset the policy, per testX method
290
            perms.add(new SecurityPermission("setPolicy"));
291
            // needed to shutdown the ThreadPoolExecutor ( used by the servers )
292
            perms.add(new RuntimePermission("modifyThread"));
293
            // needed by the client code forHttpsURLConnection.setSSLSocketFactory
294
            perms.add(new RuntimePermission("setFactory"));
295
        }
296

297
        public PermissionCollection getPermissions(ProtectionDomain domain) {
298
            return perms;
299
        }
300

301
        public PermissionCollection getPermissions(CodeSource codesource) {
302
            return perms;
303
        }
304

305
        public boolean implies(ProtectionDomain domain, Permission perm) {
306
            return perms.implies(perm) || DEFAULT_POLICY.implies(domain, perm);
307
        }
308
    }
309
}
310

311