Project

General

Profile

Actions
Copy link

Task #208

closed

Create service for execution groovy script (and frontend component)

Added by Vít Švanda over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Scripts
Target version:
Beryl
Start date:
11/23/2016
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Create service for execution groovy script
- Create service for execution groovy script
- First implementation will be for transform attribute value (provisioning)
Create component for show and edit groovy script on frontend

Actions
Copy link
 #1

Updated by Vít Švanda over 7 years ago

- Created service for evaluate and validate groovy scripts
- Implemented using a groovy script for transformation from and to target resource
- New component (ScriptArea) for editing skripts (groovy or javascritp) was created

Actions
Copy link
 #2

Updated by Vít Švanda over 7 years ago

  • Target version set to Beryl

I solved problem with incompatible AceReact component with test.

Actions
Copy link
 #3

Updated by Vít Švanda over 7 years ago

We have to secure script. For example scirpt "System.exit(1)" destroy application.
This is maybe good way: https://github.com/kohsuke/groovy-sandbox

Actions
Copy link
 #4

Updated by Vít Švanda over 7 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #5

Updated by Vít Švanda over 7 years ago

  • Subject changed from Create service for execution groovy script to Create service for execution groovy script (and frontend component)
  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Ondřej Kopr
  • % Done changed from 0 to 90
I implemented groovy sandbox by https://github.com/kohsuke/groovy-sandbox.
I created implementation of groovy interceptor filter.
  • For script running via GroovyScriptService is allowed use only classes:
    • Default/primitive types "String.class, Integer.class, Double.class, Long.class, Date.class, Enum.class, Boolean.class, BigDecimal.class, UUID.class, Character.class"
    • I add as allowed all classes from script input variables. If is input parameter List, then I added as allowed all unique classes from all items.
    • Everything elese is banned

All variant for this are secured:

System.exit(-1);

def c = System
c.exit(-1)

((Object)System).exit(-1)

Class.forName('java.lang.System').exit(-1)
('java.lang.System' as Class).exit(-1)

import static java.lang.System.exit
exit(-1)

I created tests for run/validate and security check in https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-impl/src/test/java/eu/bcvsolutions/idm/core/service/DefaultGroovyScriptServiceTest.java

Actions
Copy link
 #6

Updated by Ondřej Kopr over 7 years ago

  • Status changed from Needs feedback to Resolved
  • % Done changed from 90 to 100
  • Check DefaultGroovyScriptService. Debug method evaluate and validateScript. Code is clean and easy to understand. Nice.
  • Found accessible class in GroovySandboxFilter. Ok.
  • FE component is nice and responsive
  • Try with:
    def proc = 'systemctl suspend'.execute()

import groovy.io.FileType

def list = []

def dir = new File("/etc")
dir.eachFileRecurse (FileType.FILES) { file ->
  list << file
}

Test OK :) fun with hacking our idm

Actions
Copy link
 #7

Updated by Ondřej Kopr over 7 years ago

  • Assignee changed from Ondřej Kopr to Vít Švanda
Actions
Copy link
 #8

Updated by Vít Švanda over 7 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF