Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.
/ NuGet.Jobs Public archive

Commit

Permalink
Filter repository signatures from Validate Certificate, Revalidate jo…
Browse files Browse the repository at this point in the history 
…bs (#402)

Address NuGet/Engineering#1198
  • Loading branch information
@joelverhagen
joelverhagen committed Apr 13, 2018
1 parent aad31a4 commit c67227e
Show file tree
Hide file tree
Showing 7 changed files with 269 additions and 21 deletions.
1 change: 1 addition & 0 deletions ...alidation.Orchestrator/PackageSigning/ValidateCertificate/PackageCertificatesValidator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,7 @@ private Task<PackageSignature> FindSignatureAsync(IValidationRequest request)
.PackageSignatures
.Include(s => s.EndCertificate)
.Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))
.Where(s => s.Type == PackageSignatureType.Author)
.SingleAsync(s => s.PackageKey == request.PackageKey);
}

Expand Down
1 change: 1 addition & 0 deletions src/Validation.PackageSigning.RevalidateCertificate/CertificateRevalidator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ private async Task<List<PackageSignature>> FindPromotableSignaturesAsync()

var potentialSignatures = await _context.PackageSignatures
.Where(s => s.Status == PackageSignatureStatus.InGracePeriod)
.Where(s => s.Type == PackageSignatureType.Author)
.Include(s => s.EndCertificate)
.Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))
.OrderBy(s => s.CreatedAt)
Expand Down
2 changes: 2 additions & 0 deletions src/Validation.PackageSigning.ValidateCertificate/CertificateValidationService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,11 +286,13 @@ private Task<List<PackageSignature>> FindSignaturesAsync(EndCertificate certific
{
case EndCertificateUse.CodeSigning:
packageSignatures = _context.PackageSignatures
.Where(s => s.Type == PackageSignatureType.Author)
.Where(s => s.EndCertificate.Thumbprint == certificate.Thumbprint);
break;

case EndCertificateUse.Timestamping:
packageSignatures = _context.PackageSignatures
.Where(s => s.Type == PackageSignatureType.Author)
.Where(s => s.TrustedTimestamps.Any(t => t.EndCertificate.Thumbprint == certificate.Thumbprint));

break;
Expand Down
118 changes: 112 additions & 6 deletions ...rchestrator.Tests/PackageSigning/ValidateCertificate/PackageCertificatesValidatorFacts.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ public async Task ReturnsExpectedStatusForCertificateValidations(ValidationStatu
PackageKey = PackageKey,
Status = PackageSignatureStatus.Unknown,
EndCertificate = certificate,
Type = PackageSignatureType.Author,
};

certificate.PackageSignatures = new[] { packageSignature };
Expand Down Expand Up @@ -271,6 +272,7 @@ public async Task InvalidSignatureFailsValidation(
Status = packageSignatureStatus,
PackageSigningState = packageSigningState,
EndCertificate = certificate,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -335,6 +337,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
EndCertificate = cert1SecondAgo,
}
},
Type = PackageSignatureType.Author,
},
};

Expand All @@ -354,6 +357,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
EndCertificate = cert1SecondAgo,
}
},
Type = PackageSignatureType.Author,
},
};

Expand All @@ -373,6 +377,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
EndCertificate = cert1YearAgo,
}
},
Type = PackageSignatureType.Author,
},
};

Expand All @@ -396,6 +401,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
EndCertificate = cert1YearAgo,
}
},
Type = PackageSignatureType.Author,
},
};

Expand All @@ -415,6 +421,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
EndCertificate = cert1SecondAgo,
}
},
Type = PackageSignatureType.Author,
},
};
}
Expand Down Expand Up @@ -489,7 +496,8 @@ public async Task ThrowsIfValidSignaturesHasTimestampWithRevokedCertificate()
var signature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Unknown
Status = PackageSignatureStatus.Unknown,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -630,7 +638,8 @@ public async Task ReturnsSucceededIfAllCertificatesAlreadyValidated()
var packageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -712,7 +721,8 @@ public async Task ReturnsIncompleteIfThereAreCertificatesToValidate()
var packageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -792,7 +802,8 @@ public async Task CertificateRevokedAfterPackageWasSignedDoesntInvalidateSignatu
var packageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -875,7 +886,8 @@ public async Task InvalidCertificatesAlwaysInvalidateSignature()
var packageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -1051,7 +1063,8 @@ public async Task OnRevalidationAllNonRevokedCertificatesAreVerified(
var packageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -1122,6 +1135,7 @@ public async Task RevokedSignaturesAreInvalidated()
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var timestamp = new TrustedTimestamp
Expand Down Expand Up @@ -1167,6 +1181,98 @@ public async Task RevokedSignaturesAreInvalidated()
Assert.Equal(PackageSigningStatus.Invalid, packageSigningState.SigningStatus);
}

[Theory]
[InlineData(PackageSignatureType.Repository)]
[InlineData((PackageSignatureType)0)]
public async Task NonAuthorSignaturesAreIgnored(PackageSignatureType type)
{
// Arrange
var validatorStatus = new ValidatorStatus
{
ValidationId = ValidationId,
ValidatorName = nameof(PackageCertificatesValidator),
PackageKey = PackageKey,
State = ValidationStatus.NotStarted,
ValidatorIssues = new List<ValidatorIssue>(),
};

var packageSigningState = new PackageSigningState
{
PackageKey = PackageKey,
PackageId = PackageId,
PackageNormalizedVersion = PackageNormalizedVersion,
SigningStatus = PackageSigningStatus.Valid,
};

var authorPackageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var repositoryPackageSignature = new PackageSignature
{
PackageKey = PackageKey,
Status = PackageSignatureStatus.Unknown,
Type = type,
};

var timestamp = new TrustedTimestamp
{
Value = DateTime.UtcNow.AddDays(-10)
};

var signatureCertificate = new EndCertificate
{
Key = 123,
Status = EndCertificateStatus.Good,
StatusUpdateTime = DateTime.UtcNow.AddSeconds(-10),
NextStatusUpdateTime = DateTime.UtcNow.AddDays(1),
LastVerificationTime = DateTime.UtcNow.AddSeconds(-10),
RevocationTime = null,
ValidationFailures = 0,
};

var timestampCertificate = new EndCertificate
{
Key = 456,
Status = EndCertificateStatus.Good,
StatusUpdateTime = DateTime.UtcNow.AddSeconds(-10),
NextStatusUpdateTime = DateTime.UtcNow.AddDays(1),
LastVerificationTime = DateTime.UtcNow.AddSeconds(-10),
RevocationTime = null,
ValidationFailures = 0,
};

packageSigningState.PackageSignatures = new[] { authorPackageSignature, repositoryPackageSignature };
authorPackageSignature.PackageSigningState = packageSigningState;
authorPackageSignature.TrustedTimestamps = new[] { timestamp };
authorPackageSignature.EndCertificate = signatureCertificate;
timestamp.EndCertificate = timestampCertificate;
signatureCertificate.PackageSignatures = new[] { authorPackageSignature };
timestampCertificate.TrustedTimestamps = new[] { timestamp };

_validationContext.Mock(
validatorStatuses: new[] { validatorStatus },
packageSigningStates: new[] { packageSigningState },
packageSignatures: new[] { authorPackageSignature, repositoryPackageSignature },
trustedTimestamps: new[] { timestamp },
endCertificates: new[] { signatureCertificate, timestampCertificate });

// Act & Assert
var actual = await _target.StartAsync(_validationRequest.Object);

_certificateVerifier.Verify(v => v.EnqueueVerificationAsync(It.IsAny<IValidationRequest>(), It.IsAny<EndCertificate>()), Times.Never);
_validationContext.Verify(c => c.SaveChangesAsync(), Times.Once);
_telemetryService.Verify(
x => x.TrackDurationToStartPackageCertificatesValidator(It.IsAny<TimeSpan>()),
Times.Never);

Assert.Equal(ValidationStatus.Succeeded, actual.Status);
Assert.Equal(ValidationStatus.Succeeded, validatorStatus.State);
}

public static IEnumerable<object[]> ValidationStatusesThatAreStarted = validationStatusesThatAreStarted.Select(s => new object[] { s });
}

Expand Down
24 changes: 23 additions & 1 deletion tests/Validation.PackageSigning.RevalidateCertificate.Tests/CertificateRevalidatorFacts.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,26 @@ public async Task DoesNoPromotionsIfNonePromotable()
Assert.Equal(PackageSignatureStatus.InGracePeriod, signature2.Status);
}

[Theory]
[InlineData(PackageSignatureType.Repository)]
[InlineData((PackageSignatureType)0)]
public async Task DoesNotPromoteNonAuthorSignatures(PackageSignatureType type)
{
// Arrange - make signature nonpromotable due to repository type.
var signature = PromotableSignature;

signature.Type = type;

_context.Mock(packageSignatures: new[] { signature });

// Act & Assert
await _target.PromoteSignaturesAsync();

_context.Verify(c => c.SaveChangesAsync(), Times.Never);

Assert.Equal(PackageSignatureStatus.InGracePeriod, signature.Status);
}

[Fact]
public async Task PromotesSignaturesIfPossible()
{
Expand Down Expand Up @@ -371,7 +391,9 @@ public Base()
StatusUpdateTime = DateTime.UtcNow,
}
}
}
},

Type = PackageSignatureType.Author,
};

protected EndCertificate StaleCertificate =>
Expand Down
36 changes: 30 additions & 6 deletions ...eSigning.ValidateCertificate.Tests/CertificateValidationMessageHandlerIntegrationTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,21 @@ public async Task ValidateSigningCertificate(
var packageSigningState2 = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };
var packageSigningState3 = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };

var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown };
var signatureInGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod };
var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid };
var signatureAtIngestion = new PackageSignature
{
Status = PackageSignatureStatus.Unknown,
Type = PackageSignatureType.Author,
};
var signatureInGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.InGracePeriod,
Type = PackageSignatureType.Author,
};
var signatureAfterGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var trustedTimestamp1 = new TrustedTimestamp { Status = TrustedTimestampStatus.Valid, Value = signatureTime };
var trustedTimestamp2 = new TrustedTimestamp { Status = TrustedTimestampStatus.Valid, Value = signatureTime };
Expand Down Expand Up @@ -212,9 +224,21 @@ public async Task ValidateTimestampingCertificate()

var packageSigningState = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };

var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown };
var signatureInGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod };
var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid };
var signatureAtIngestion = new PackageSignature
{
Status = PackageSignatureStatus.Unknown,
Type = PackageSignatureType.Author,
};
var signatureInGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.InGracePeriod,
Type = PackageSignatureType.Author,
};
var signatureAfterGracePeriod = new PackageSignature
{
Status = PackageSignatureStatus.Valid,
Type = PackageSignatureType.Author,
};

var endCertificate = new EndCertificate
{
Expand Down
Loading

0 comments on commit c67227e

Please sign in to comment.