/
ReflectionAccessTest.java
123 lines (110 loc) · 4.28 KB
/
ReflectionAccessTest.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package com.google.gson.functional;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.JsonIOException;
import com.google.gson.TypeAdapter;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonWriter;
import java.io.IOException;
import java.lang.reflect.ReflectPermission;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.Permission;
import java.util.Collections;
import java.util.concurrent.atomic.AtomicBoolean;
import org.junit.Test;
public class ReflectionAccessTest {
@SuppressWarnings("unused")
private static class ClassWithPrivateMembers {
private String s;
private ClassWithPrivateMembers() {
}
}
private static Class<?> loadClassWithDifferentClassLoader(Class<?> c) throws Exception {
URL url = c.getProtectionDomain().getCodeSource().getLocation();
URLClassLoader classLoader = new URLClassLoader(new URL[] { url }, null);
return classLoader.loadClass(c.getName());
}
@Test
public void testRestrictiveSecurityManager() throws Exception {
// Must use separate class loader, otherwise permission is not checked, see Class.getDeclaredFields()
Class<?> clazz = loadClassWithDifferentClassLoader(ClassWithPrivateMembers.class);
final Permission accessDeclaredMembers = new RuntimePermission("accessDeclaredMembers");
final Permission suppressAccessChecks = new ReflectPermission("suppressAccessChecks");
SecurityManager original = System.getSecurityManager();
SecurityManager restrictiveManager = new SecurityManager() {
@Override
public void checkPermission(Permission perm) {
if (accessDeclaredMembers.equals(perm)) {
throw new SecurityException("Gson: no-member-access");
}
if (suppressAccessChecks.equals(perm)) {
throw new SecurityException("Gson: no-suppress-access-check");
}
}
};
System.setSecurityManager(restrictiveManager);
try {
Gson gson = new Gson();
try {
// Getting reflection based adapter should fail
gson.getAdapter(clazz);
fail();
} catch (SecurityException e) {
assertEquals("Gson: no-member-access", e.getMessage());
}
final AtomicBoolean wasReadCalled = new AtomicBoolean(false);
gson = new GsonBuilder()
.registerTypeAdapter(clazz, new TypeAdapter<Object>() {
@Override
public void write(JsonWriter out, Object value) throws IOException {
out.value("custom-write");
}
@Override
public Object read(JsonReader in) throws IOException {
in.skipValue();
wasReadCalled.set(true);
return null;
}}
)
.create();
assertEquals("\"custom-write\"", gson.toJson(null, clazz));
assertNull(gson.fromJson("{}", clazz));
assertTrue(wasReadCalled.get());
} finally {
System.setSecurityManager(original);
}
}
/**
* Test serializing an instance of a non-accessible internal class, but where
* Gson supports serializing one of its superinterfaces.
*
* <p>Here {@link Collections#emptyList()} is used which returns an instance
* of the internal class {@code java.util.Collections.EmptyList}. Gson should
* serialize the object as {@code List} despite the internal class not being
* accessible.
*
* <p>See https://github.com/google/gson/issues/1875
*/
@Test
public void testSerializeInternalImplementationObject() {
Gson gson = new Gson();
String json = gson.toJson(Collections.emptyList());
assertEquals("[]", json);
// But deserialization should fail
Class<?> internalClass = Collections.emptyList().getClass();
try {
gson.fromJson("{}", internalClass);
fail("Missing exception; test has to be run with `--illegal-access=deny`");
} catch (JsonIOException expected) {
assertTrue(expected.getMessage().startsWith(
"Failed making constructor 'java.util.Collections$EmptyList#EmptyList()' accessible; "
+ "either change its visibility or write a custom InstanceCreator or TypeAdapter for its declaring type"
));
}
}
}