From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mauve-discuss-return-958-listarch-mauve-discuss=sources.redhat.com@sourceware.org>
Received: (qmail 9434 invoked by alias); 22 Nov 2005 16:27:16 -0000
Received: (qmail 9427 invoked by uid 22791); 22 Nov 2005 16:27:15 -0000
X-Spam-Check-By: sourceware.org
Received: from gbenson.demon.co.uk (HELO gbenson.demon.co.uk) (80.177.220.214)     by sourceware.org (qpsmtpd/0.31) with ESMTP; Tue, 22 Nov 2005 16:27:14 +0000
Received: from slippy.wire.rat ([192.168.1.1]) 	by gbenson.demon.co.uk with esmtp (Exim 3.36 #1) 	id 1Eeaz9-0006CH-00 	for mauve-discuss@sources.redhat.com; Tue, 22 Nov 2005 16:27:11 +0000
Received: from slippy.wire.rat (localhost.localdomain [127.0.0.1]) 	by slippy.wire.rat (8.13.1/8.13.1) with ESMTP id jAMGRBJj006454 	for <mauve-discuss@sources.redhat.com>; Tue, 22 Nov 2005 16:27:11 GMT
Received: (from gary@localhost) 	by slippy.wire.rat (8.13.1/8.13.1/Submit) id jAMGRA5h006453 	for mauve-discuss@sources.redhat.com; Tue, 22 Nov 2005 16:27:10 GMT
Date: Tue, 22 Nov 2005 16:27:00 -0000
From: Gary Benson <gbenson@redhat.com>
To: mauve-discuss@sources.redhat.com
Subject: Re: SecurityException throwpoint audit
Message-ID: <20051122162710.GC4839@redhat.com>
Mail-Followup-To: mauve-discuss@sources.redhat.com
References: <20051121165809.GB12340@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="V0207lvV8h4k8FAm"
Content-Disposition: inline
In-Reply-To: <20051121165809.GB12340@redhat.com>
X-IsSubscribed: yes
Mailing-List: contact mauve-discuss-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:mauve-discuss-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/mauve-discuss/>
List-Post: <mailto:mauve-discuss@sourceware.org>
List-Help: <mailto:mauve-discuss-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: mauve-discuss-owner@sourceware.org
X-SW-Source: 2005-q4/txt/msg00036.txt.bz2

--V0207lvV8h4k8FAm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-length: 1542

Hi again,

I take it that nobody minds if I start doing this.  The attached
script can be used to create the annotated list of throwpoints so
you can look up IDs I add in comments or whatever.  The script
performs some MD5 checks so you can be sure you're looking at the
same page I am.

Cheers,
Gary

Gary Benson wrote:
> Hi all,
> 
> I've been trying to work out how to test that permissions are
> checked at every point they ought to be.  There's a table of
> every such point here:
> 
>   http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods
> 
> Some of these already have tests, but most probably do not.  Before
> I start creating tests I'm thinking that we need some way to
> correlate mauve tests with the throwpoints on this (and future)
> lists.
> 
> How would people feel if I numbered the throwpoints on the above
> list and noted them in their corresponding tests in some easily
> parsable form (probably in comments like Tags are already).  That
> way whether a throwpoint is tested (and the location of the test)
> can be found with a simple grep.
> 
> For simplicity I'd probably number the 1.4.2 list from 1-whatever.
> Checks added in 1.5 can be added at the end of the list.
> 
> It would be convenient if we made a version of the above list
> annotated with the throwpoint numbers, but obviously such a thing
> could not be distributed.  It should be possible to write a script
> that would download and annotate the list for local use.
> 
> Does this sound reasonable?
> 
> Cheers,
> Gary

--V0207lvV8h4k8FAm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="get-throwpoints.py"
Content-length: 3886

#!/usr/bin/env python

import md5
import sgmllib

def escape(data, escape_quote = False):
    data = data.replace("&", "&amp;")
    data = data.replace("<", "&lt;")
    if escape_quote:
        data = data.replace('"', "&quot;")
    return data

class Parser(sgmllib.SGMLParser):
    from htmlentitydefs import entitydefs

    def __init__(self, fp, verbose = False):
        sgmllib.SGMLParser.__init__(self, verbose)
        self.fp = fp

    def reset(self):
        sgmllib.SGMLParser.reset(self)
        self.hashes = md5.new(), md5.new()
        self.passthrough = False
        self.row = None

    def feed(self, data):
        sgmllib.SGMLParser.feed(self, data)
        self.hashes[0].update(data)

    def write(self, data):
        self.fp.write(data)
        self.hashes[1].update(data)

    def digests(self):
        return [hash.hexdigest() for hash in self.hashes]

    # handle passthrough in generic overrides

    def handle_starttag(self, tag, method, attrs):
        sgmllib.SGMLParser.handle_starttag(self, tag, method, attrs)
        if self.passthrough:
            self.__write_tag(tag, attrs)
            
    def unknown_starttag(self, tag, attrs):
        sgmllib.SGMLParser.unknown_starttag(self, tag, attrs)
        if self.passthrough:
            self.__write_tag(tag, attrs)

    def handle_endtag(self, tag, method):
        if self.passthrough:
            self.__write_tag("/" + tag)
        sgmllib.SGMLParser.handle_endtag(self, tag, method)

    def unknown_endtag(self, tag):
        if self.passthrough:
            self.__write_tag("/" + tag)
        sgmllib.SGMLParser.unknown_endtag(self, tag)

    def handle_data(self, data):
        if self.passthrough:
            self.write(data)

    def __write_tag(self, tag, attrs = ()):
        self.write("<%s%s>" % (tag, "".join(
            [' %s="%s"' % (name, escape(value, True))
             for name, value in attrs])))

    # handle everything else in tag-specific overrides

    def start_table(self, attrs):
        for name, value in attrs:
            if name == "summary":
                if value == "methods and the premissions they require":
                    self.passthrough = True
                    self.row = 0
                break
        if self.passthrough:
            self.write("<html>\n  <body>\n    ")

    def end_table(self):
        if self.passthrough:
            self.write("\n  </body>\n</html>\n")
        self.passthrough = False

    def start_tr(self, attrs):
        if self.passthrough:
            if self.row == 29:
                self.passthrough = False
            self.row_tagged = False
        elif self.row == 29:
            self.passthrough = True

    def end_tr(self):
        if self.passthrough:
            self.row += 1

    def start_th(self, attrs):
        if self.passthrough:
            if not self.row_tagged:
                self.write("<th>ID</th>\n      ")
                self.row_tagged = True

    def start_td(self, attrs):
        if self.passthrough:
            if not self.row_tagged:
                self.write("<td>se%03d</td>\n      " % self.row)
                self.row_tagged = True

if __name__ == "__main__":
    import os
    import sys
    import urllib

    version = "1.4.2"
    src = "http://java.sun.com/j2se/" + version \
          + "/docs/guide/security/permissions.html"
    dst = "throwpoints-%s.html" % version
    if os.path.exists(dst):
        print "%s: file exists" % dst
        sys.exit(1)

    parser = Parser(open(dst, "w"))
    parser.feed(urllib.urlopen(src).read())
    parser.close()

    digests = parser.digests()
    if digests[1] == "3c40052647c417dead97068a32f51911":
        status = "PASS"
    elif digests[0] == "c4b9248859682e65ad71788acfc03b78":
        status = "FAIL (processing)"
    else:
        status = "FAIL (input = %s)" % digests[0]
    print "status:", status

--V0207lvV8h4k8FAm--