canmove, Confirmed users
1,220
edits
Security/B2G/GaiaTesting: Difference between revisions
no edit summary
Ptheriault (talk | contribs) (Created page with "Testing Gaia with B2G desktop Gaia is a collection of web apps which make up the UI for the Boot to Gecko project. It consists of a system app, which performs most runtime functi...") |
Ptheriault (talk | contribs) No edit summary |
||
| Line 2: | Line 2: | ||
Gaia is a collection of web apps which make up the UI for the Boot to Gecko project. It consists of a system app, which performs most runtime functions and loads all of the other Web Apps, such as apps for the Browser, Dialer, SMS, Contacts etc. | Gaia is a collection of web apps which make up the UI for the Boot to Gecko project. It consists of a system app, which performs most runtime functions and loads all of the other Web Apps, such as apps for the Browser, Dialer, SMS, Contacts etc. | ||
When running, Gaia can be thought of as one large HTML document as shown below: | When running, Gaia can be thought of as one large HTML document as shown below: | ||
<window> Gecko chrome | | <window> Gecko chrome | ||
| | |||
+--> <iframe> Gaia system app | |||
| | |||
+--> <iframe> homescreen app | |||
| | |||
+--> <iframe> keyboard | |||
| | |||
+--> <iframe> Web Apps (one per each app) | |||
| | |||
+--> <iframe> browser app (when it is loaded) | |||
| | |||
<iframe> Web content | |||
So when performing Gaia security testing, we mainly was to test from two perspectives (from least to most privileged): | So when performing Gaia security testing, we mainly was to test from two perspectives (from least to most privileged): | ||
*Web Content loaded in the Gaia Browser App | |||
*Installed Web Apps | |||
*The System App (in case of attack from content) | |||
*Gecko chrome code (in case of further privilege escalation) | |||
This post will go through the basics of executing script at each of these levels. | This post will go through the basics of executing script at each of these levels. | ||
===Setting up B2G Desktop=== | ===Setting up B2G Desktop=== | ||
When testing gaia, you have 4 options: | When testing gaia, you have 4 options: | ||
*a b2g device | |||
*b2g in an emulator | |||
*b2g compiled to run on desktop (b2g desktop) | |||
*load Gaia inside nightly | |||
Testing on b2g desktop is the sweet spot for ease of use vs completeness. Obviously some things don't work (dialing, sms etc) but for just testing Gaia as a whole this is a great place to start. | Testing on b2g desktop is the sweet spot for ease of use vs completeness. Obviously some things don't work (dialing, sms etc) but for just testing Gaia as a whole this is a great place to start. (more detail on this [https://developer.mozilla.org/en/Mozilla/Boot_to_Gecko/Choosing_how_to_run_Gaia_or_B2G|here] | ||
The following are condensed instructions for how to install and run b2g desktop. For a more detailed explanation and further information, see https://wiki.mozilla.org/Gaia/Hacking. | |||
'''Step 1. Install B2G desktop''' | The following are condensed instructions for how to install and run b2g desktop. For a more detailed explanation and further information, see https://wiki.mozilla.org/Gaia/Hacking.<br> | ||
Download an install the appropriate binary for your system here: http://ftp.mozilla.org/pub/mozilla.org/b2g/nightly/latest-mozilla-central/ | '''Step 1. Install B2G desktop'''<br> | ||
Download an install the appropriate binary for your system here: http://ftp.mozilla.org/pub/mozilla.org/b2g/nightly/latest-mozilla-central/<br> | |||
Open the dmg file and drag the b2g app to your applications directory. | |||
'''Step 2. Download and build Gaia''' | '''Step 2. Download and build Gaia'''<br> | ||
You need to download Gaia, and then build it, which builds a profile which you can load with b2g desktop. This can be achieved with the following commands: | You need to download Gaia, and then build it, which builds a profile which you can load with b2g desktop. This can be achieved with the following commands: | ||
$ git clone https://github.com/mozilla-b2g/gaia | $ git clone https://github.com/mozilla-b2g/gaia | ||
| Line 38: | Line 40: | ||
$ DEBUG=1 make | $ DEBUG=1 make | ||
Note: "DEBUG=1" is needed to enable testing tools. | Note: "DEBUG=1" is needed to enable testing tools. | ||
'''Step 3. Load B2G desktop using the profile created by gaia''' | '''Step 3. Load B2G desktop using the profile created by gaia'''<br> | ||
Load the b2g executable, supplying the -profile option with the path to the gaia location | Load the b2g executable, supplying the -profile option with the path to the gaia location | ||
$ b2g -profile /path/to/gaia/profile | $ b2g -profile /path/to/gaia/profile | ||
Assuming it all works, you should see the lock screen: http://imgur.com/yKxqN | Assuming it all works, you should see the lock screen: http://imgur.com/yKxqN | ||
Specific examples, assuming current directory is where you installed gaia. | Specific examples, assuming current directory is where you installed gaia.<br> | ||
Mac: | Mac: | ||
$ /Applications/B2G.app/Contents/MacOS/b2g -profile `pwd`/profile | $ /Applications/B2G.app/Contents/MacOS/b2g -profile `pwd`/profile | ||
*Useful switches when running b2g: | *Useful switches when running b2g: | ||
** Launch B2G desktop with a specific screen resolution: --screen (e.g. --screen 800x600) | ** Launch B2G desktop with a specific screen resolution: --screen (e.g. --screen 800x600) | ||
** Enable the error console: -jsconsole | ** Enable the error console: -jsconsole | ||
''' | '''HINTS''' | ||
* The lock screen is initially shown (default passcode "0000"). This can be turned off | * The lock screen is initially shown (default passcode "0000"). This can be turned off or changed in settings app | ||
* Exit an app using esc or home key | * Exit an app using esc or home key | ||
* This is a phone; the screen will sleep! Wake from sleep (black screen) using home key command only (fn + left, mac users) | * This is a phone; the screen will sleep! Wake from sleep (black screen) using home key command only (fn + left, mac users) | ||
===Testing the B2G Browser App=== | ===Testing the B2G Browser App=== | ||
Webpages are the least privileged content on b2g and the easiest to test. Just open the browser app and load a web page. | Webpages are the least privileged content on b2g and the easiest to test. Just open the browser app and load a web page. | ||
[NOTE: currently a bug with the latest b2g desktop builds 15 jul. Missing a lib, but you can copy it from xulrunner which gaia installs when it is building see https://bugzilla.mozilla.org/show_bug.cgi?id=774215] | [NOTE: currently a bug with the latest b2g desktop builds 15 jul. Missing a lib, but you can copy it from xulrunner which gaia installs when it is building see https://bugzilla.mozilla.org/show_bug.cgi?id=774215] | ||
===Testing as a Web App=== | ===Testing as a Web App=== | ||
The easiest way to test as a web app is to create your web app. This is made easy since there is already a template in gaia which you can copy. | The easiest way to test as a web app is to create your web app. This is made easy since there is already a template in gaia which you can copy. | ||
| Line 65: | Line 63: | ||
$ cp -R test_apps/template test_apps/shell | $ cp -R test_apps/template test_apps/shell | ||
'''Step 2. Put some content in index.html''' | '''Step 2. Put some content in index.html''' | ||
$curl http://www.squarefree.com/shell/shell.html >test_apps/shell/index.html | $ curl http://www.squarefree.com/shell/shell.html >test_apps/shell/index.html | ||
'''3. Change the name in manifest.webapp so that it is called something other than template: | '''3. Change the name in manifest.webapp so that it is called something other than template: | ||
sed -e '/Template/s//Shell/' test_apps/shell/manifest.webapp''' | $ sed -e '/Template/s//Shell/' test_apps/shell/manifest.webapp''' | ||
You might want to launch b2g with a larger screen res so you can see what you are typing. Or click and drag to zoom the page. | You might want to launch b2g with a larger screen (use --screen ###x###) res so you can see what you are typing. Or click and drag to zoom the page. | ||
=== Testing with Marionette=== | === Testing with Marionette=== | ||
Marionette provides a mechanism to connect a remote client to a B2G instance, call javascript and get the result. It allows injecting script into any level from chrome right down to web content. | Marionette provides a mechanism to connect a remote client to a B2G instance, call javascript and get the result. It allows injecting script into any level from chrome right down to web content.<br> | ||
To install and get started with Marionette, follow the instructions here: https://developer.mozilla.org/en/Mozilla/Boot_to_Gecko/Setting_Up_Marionette_for_B2G | To install and get started with Marionette, follow the instructions here: https://developer.mozilla.org/en/Mozilla/Boot_to_Gecko/Setting_Up_Marionette_for_B2G <br> | ||
Important: Since we are running b2g desktop instead of on a device or emulator, you do not need to use adb to forward port 2828. Just skip this step. | |||
Important: Since we are running b2g desktop instead of on a device or emulator, you do not need to use adb to forward port 2828. Just skip this step. | |||
Once you have it all working, the following commands will get you started. | Once you have it all working, the following commands will get you started. | ||
>>> from marionette import Marionette | >>> from marionette import Marionette | ||
>>> marionette = Marionette('localhost', 2828) | >>> marionette = Marionette('localhost', 2828) | ||
>>> marionette.start_session() | >>> marionette.start_session() | ||
u'8-b2g' | u'8-b2g' | ||
At this point we are connected and can start issuing commands. | At this point we are connected and can start issuing commands. | ||
>>> marionette.execute_script("return document.location.href") | >>> marionette.execute_script("return document.location.href") | ||
u'http://system.gaiamobile.org:8080/' | u'http://system.gaiamobile.org:8080/' | ||
By default, we are executing script inside the top level content frame, which is the Gaia "System" app. | By default, we are executing script inside the top level content frame, which is the Gaia "System" app. | ||
To switch to chrome perform use the set_context command: | To switch to chrome perform use the set_context command: | ||
>>> marionette.set_context("chrome") | >>> marionette.set_context("chrome") | ||
True | True | ||
>>> marionette.execute_script("return document.location.href") | >>> marionette.execute_script("return document.location.href") | ||
u'chrome://browser/content/shell.xul' | u'chrome://browser/content/shell.xul' | ||
To switch back, use the same command: | To switch back, use the same command: | ||
>>> marionette.set_context("content") | >>> marionette.set_context("content") | ||
True | True | ||
>>> marionette.execute_script("return document.location.href") | >>> marionette.execute_script("return document.location.href") | ||
u'http://system.gaiamobile.org:8080/' | u'http://system.gaiamobile.org:8080/' | ||
Now lets open the browser app: | Now lets open the browser app (note the use of wrappedJSObject for non-DOM entities): | ||
>>> marionette.execute_script("return window.wrappedJSObject.WindowManager.launch('http://browser.gaiamobile.org:8080')") | |||
To switch to the browser, we need the id of the frame, which should be 4 if you haven't launched anything else: | |||
>>> marionette.switch_to_frame(4) | |||
True | |||
>>> marionette.execute_script('return document.location.href') | |||
u'http://browser.gaiamobile.org:8080/' | |||
Now you can execute script inside a running app. | |||
To switch back to the system or another app you need to reset marionette back to the top frame by: | |||
>>> marionette.switch_to_frame() | |||
True | |||
>>> marionette.execute_script('return document.location.href') | |||
u'http://system.gaiamobile.org:8080/' | |||