#202 New test group for security manager

[Rony G. Flatscher]

Attached there are two zip-archives, one contains a patch that defines a new test group for the security manager (consists of two files, "agent2.rex" and "SecurityManager.testGroup"), the other one contains the output of running that test group on ooRexx 3.2.0 (sic!), ooRexx 4.2.0 and ooRexx 5.0.0beta.

All three outputs were created with the same testing framework, i.e. the 3.2.0 framework.

A few remarks:

• 3.2.0: here the security manager sends all messages; there is one failure though: it seems that ooRexx 3.2.0 when resolving an environment symbol was looking through .local first and even when found proceeded looking through .environment. This version of ooRexx will honor/resolve the requires directives.
• 4.2.0: starting with the 4 series of ooRexx (with a new kernel) the requires directives were not honored by the security manager, only the "dynamic requires" (using addPackage).
• 5.0.0beta: currently there are two failures more than in 4.2.0.

[Rony G. Flatscher]

Please use this version of the SecurityManager testgroup which includes the following changes:

• "agent2.rex" not needed anymore
• all tests that test REQUIRES will now work on a separate file, that gets created dynamically if needed; this change is needed as the Rexx interpreter will cache all required Rexx packages (files) by their name

With these changes the following can be observed:
ooRexx 3.2.0: as in the previous testgroup it shows that looking for .local entries will unexpectedly also lookup .environment
ooRexx 4.2.0: because each REQUIRES test (no matter whether via ::requires directive or addPackage) uses a different, not yet resolved external file TEST_VIA_METHOD_REQUIRES_06 now passes; there is a total of two failures linked to the "::requires" directive not triggering the security manager
* ooRexx 5.0.0beta: this behaves the same as 4.2.0, in addition the testgroup shows that there are two new failures in TEST_VIA_METHOD_ENVIRONMENT_02 and TEST_VIA_METHOD_ENVIRONMENT_03

[Rony G. Flatscher]

Enclosed please find the finalized version of the SecurityManager testgroup and its output on ooRexx 3.2, 4.2 and 5.0 beta.

This version adds using .routine and .package objects for defining the code and assigning security managers to it (in addition to what has already been available with using .method objects for the same tests).

Brief findings:

• ooRexx 3.2 as abouve
• ooRexx 4.2: it turns out that requires-directives get carried out for .routine objects that get called, the problem seems to be in running the .method objects where the ::requires directives are not recognized
• ooRexx 5.0: this is interesting, will come up with a separate analysis ASAP (unfortunately, have to leave urgently)

This concludes my work on this testgroup.

[Rony G. Flatscher]

In the meantime I have invested more time to also create unit tests that test for each documented behaviour (when interacting with the supplied information directory). In order to ease testing and analysis I split the single testGroup into using the security manager with method objects, rouitne objects and package objects.

The test units testing the method objects run on 3.2.0 (there is one error, interestingly there, which causes the fully qualified filenames to be uppercased) successfully. The tests for routine objects and package objects are mimickring the method object tests.

On ooRexx 5.0beta the method object and routine object tests show that most security manager features are intact and working like on ooRexx 3.2. There are a few errors here, though:

• ENVIRONMENT security manager message: when resolving an environment symbol in the ooRexx environment then ".local" is looked up first, and if no entry is found, ".environment" is looked up next. It seems that the security manager does not send the ENVIRONMENT message

• REQUIRES security manager message: it seems that this message is not sent when a file contains a "::REQUIRES" directive (it will get sent when doing a "dynamic requires" using ".context~package~addPackage(.package~new(somefile.rex))"

• STREAM security manager message: it seems that this message is not sent to the supplied stream-object when excercising the BIFs CHAROUT, LINEOUT, CHARIN, LINEIN, CHARS, LINES and STREAM

Again, all the method object related test units work successfully on ooRexx 3.2.

[Rony G. Flatscher]

Final update (self-document commands that should cause syntax, failure and error conditions; make sure that Rexx system queue is emptied before running command tests).

[Rony G. Flatscher]

Excel-Spreadsheet giving an overview of success and failures running the test units on ooRexx 3.2.0, 4.2.0 and 5.0beta. Cf. todays (2017-08-02) posting in https://sourceforge.net/p/oorexx/mailman/oorexx-devel/.

[Erich]

A (different) Security manager test group was committed with revision [r11302].