This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-4076_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 3fee43eb1280ee5ad06c3726b923f8269c542aac Author: Kishor Gollapalliwar <[email protected]> AuthorDate: Mon Dec 8 15:57:41 2025 +0530 RANGER-4076: Fix TestCase failures in RangerRequestScriptEvaluatorTest --- .../RangerRequestScriptEvaluatorTest.java | 40 ++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java index 918cd8816..8e688a1dd 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java @@ -33,7 +33,10 @@ import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; +import javax.script.Bindings; +import javax.script.ScriptContext; import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; import java.io.File; import java.util.Arrays; @@ -427,9 +430,15 @@ public void testIntersectsIncludes() { } @Test - public void testBlockJavaClassReferences() { + public void testBlockJavaClassReferencesWithHostAccessBlocked() { + Map<String, Boolean> graalVmConfigs = new HashMap<>(); + graalVmConfigs.put("polyglot.js.nashorn-compat", Boolean.TRUE); + graalVmConfigs.put("polyglot.js.allowHostAccess", Boolean.FALSE); + + ScriptEngine graalEngine = getEngine(graalVmConfigs); + RangerAccessRequest request = createRequest("test-user", Collections.emptySet(), Collections.emptySet(), Collections.emptyList()); - RangerRequestScriptEvaluator evaluator = new RangerRequestScriptEvaluator(request, scriptEngine, false); + RangerRequestScriptEvaluator evaluator = new RangerRequestScriptEvaluator(request, graalEngine, false); String fileName = "/tmp/ctest1-" + System.currentTimeMillis(); @@ -450,6 +459,21 @@ public void testBlockJavaClassReferences() { Assertions.assertFalse(testFile.exists(), fileName + ": file should not have been created"); } + @Test + public void testBlockJavaClassReferencesWithHostAccessAllowed() { + Map<String, Boolean> graalVmConfigs = new HashMap<>(); + graalVmConfigs.put("polyglot.js.nashorn-compat", Boolean.TRUE); + graalVmConfigs.put("polyglot.js.allowHostAccess", Boolean.TRUE); + + ScriptEngine graalEngine = getEngine(graalVmConfigs); + + RangerAccessRequest request = createRequest("test-user", Collections.emptySet(), Collections.emptySet(), Collections.emptyList()); + RangerRequestScriptEvaluator evaluator = new RangerRequestScriptEvaluator(request, graalEngine, false); + + Assert.assertNull("test: java.lang.System.out.println(\"test\");", evaluator.evaluateScript("java.lang.System.out.println(\"test\");")); + Assert.assertNotNull("test: java.lang.Runtime.getRuntime().exec(\"bash\");", evaluator.evaluateScript("java.lang.Runtime.getRuntime().exec(\"bash\");")); + } + @Test public void testIsTimeMacros() { RangerAccessRequest request = createRequest("test-user", Collections.emptySet(), Collections.emptySet(), Collections.emptyList()); @@ -596,4 +620,16 @@ RangerAccessRequest createRequest(String userName, Set<String> userGroups, Set<S return request; } + + public ScriptEngine getEngine(Map<String, Boolean> graalVmConfigs) { + ScriptEngine graalEngine = new ScriptEngineManager().getEngineByName("graal.js"); + + if (graalEngine != null) { + Bindings bindings = graalEngine.getBindings(ScriptContext.ENGINE_SCOPE); + bindings.putAll(graalVmConfigs); + graalEngine.setBindings(bindings, ScriptContext.ENGINE_SCOPE); + } + + return graalEngine; + } }
