CppStars / mb-unit

Automatically exported from code.google.com/p/mb-unit
0 stars 0 forks source link

Support partially trusted callers. #53

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Supporting partially trusted called is a bit of a pain but it will be
useful for testing in some environments.

Peli mentioned the lack of this features in other frameworks:
http://blog.dotnetwiki.org/IsYourTestFrameworkPartialTrustFriendly.aspx

Mostly it boils down to being very particular about security demands and
adding tests that really do stress execution under partially trusted
conditions.  Obviously some features won't work given certain security
constraints but we should at least be aware of which features they are.

There are two forks to this issue:

1. Allow partially trusted callers in the framework assembly.  Then add
support for running tests in reduced security contexts via a custom
decorator attribute.  We will need to be explicit about security demands
made by the framework.  In particular, we'll need to watch out for cases
where the framework calls into core services since those services may have
trouble running with reduced permissions.

2. Allow the Gallio test runner itself to execute in a partially trusted
context such as a web browser.  This may be needed to run tests in
Silverlight anyways.  However, this is a much harder problem than #1 as the
core assumes it has unrestricted access to the system in many places (for
instance, that it can scan directories and load arbitrary plugin
assemblies).  Some other strange things might break like XML serializers
with private default constructors (which I'm kind of surprised works anyways).

We should do a thorough design analysis before we attack each fork.

I wouldn't be too surprised if we found we needed to fiddle with the GAC to
make this stuff work.

Original issue reported on code.google.com by jeff.br...@gmail.com on 5 Sep 2007 at 9:28

GoogleCodeExporter commented 8 years ago
More on this from Peli: 
http://blog.dotnetwiki.org/PexItPartialTrustWithATwist.aspx

There are some things Peli is missing from this discussion.  For example, 
should we
prevent tests running under partial trust from accessing certain parts of the
framework?  After all the framework can do all sort of fully-trusted I/O on 
behalf of
a test thus resulting in privilege elevation.  I expect it would depend on the
deployment model.  Do you trust the tests you are running?

Frankly I find it a little hard to imagine getting anything useful done without
trusting the tests but it might be important not to if tests are intended to be
downloaded to a client and executed inside of a browser, for example.  So there 
are
still things for us to think about here in terms of the security model...

Original comment by jeff.br...@gmail.com on 8 Sep 2007 at 8:06

GoogleCodeExporter commented 8 years ago
Applies to both Gallio and MbUnit v3.

Original comment by jeff.br...@gmail.com on 30 Oct 2007 at 2:15

GoogleCodeExporter commented 8 years ago

Original comment by jeff.br...@gmail.com on 19 Nov 2008 at 11:58