Improved: Merge ‘UtilObjectUnitTest’ into ‘UtilObjectTests’

(OFBIZ-11067)

Those classes were testing the same class.


git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1869023 13f79535-47bb-0310-9956-ffa450edef68

framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java

@@ -19,28 +19,40 @@
 package org.apache.ofbiz.base.util;
 
 import static org.apache.ofbiz.base.util.UtilMisc.toSet;
+import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
+import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThat;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Set;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
+import org.junit.After;
 import org.junit.Test;
 
 @SourceMonitored
 public class UtilObjectTests {
+    @After
+    public void cleanUp() {
+        // Ensure that the default value of allowed deserialization classes is used.
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
+    }
 
     public static final class ErrorInjector extends FilterInputStream {
         private int after;
@@ -305,4 +317,43 @@ public void testGetObjectFromFactory() throws Exception {
             assertNotNull("nothing found second", caught);
         }
     }
+
+    // Test reading a basic list of string object.
+    @Test
+    public void testGetObjectExceptionSafe() throws IOException, ClassNotFoundException {
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            List<String> allowedObject = Arrays.asList("foo", "bar", "baz");
+            oos.writeObject(allowedObject);
+            List<String> readObject = UtilGenerics.cast(getObjectException(bos.toByteArray()));
+            assertThat(readObject, contains("foo", "bar", "baz"));
+        }
+    }
+
+    // Test reading a valid customized list of string object.
+    @Test
+    public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "java.util.Arrays.ArrayList,java.lang.String");
+        testGetObjectExceptionSafe();
+
+        // With extra whitespace
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "java.util.Arrays.ArrayList, java.lang.String");
+        testGetObjectExceptionSafe();
+    }
+
+    // Test reading a basic list of string object after forbidding such kind of objects.
+    @Test(expected = ClassCastException.class)
+    public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
+        // Only allow object of type where the package prefix is 'org.apache.ofbiz'
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "org.apache.ofbiz..*");
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
+            oos.writeObject(forbiddenObject);
+            getObjectException(bos.toByteArray());
+        }
+    }
 }