From f34e28d521b71be501dc85e75c5efa411c3194f1 Mon Sep 17 00:00:00 2001 From: "andre.schmid" Date: Mon, 30 Sep 2019 17:47:27 +0100 Subject: Validate artifacts signature in SOL004 package Change-Id: Ib048f4501fd8a81cdf11fab19f149350011f772e Issue-ID: SDC-2632 Signed-off-by: andre.schmid --- .../OnboardingPackageContentHandler.java | 53 ++++ .../onboarding/OnboardingPackageProcessor.java | 19 +- .../BaseOrchestrationTemplateHandler.java | 8 +- .../csar/validation/ONAPCsarValidator.java | 56 ++--- .../validation/SOL004MetaDirectoryValidator.java | 273 +++++++++++++-------- .../exception/MissingCertificateException.java | 27 ++ .../security/SecurityManager.java | 2 + .../types/OnboardPackage.java | 11 +- 8 files changed, 295 insertions(+), 154 deletions(-) create mode 100644 openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageContentHandler.java create mode 100644 openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/exception/MissingCertificateException.java (limited to 'openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main') diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageContentHandler.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageContentHandler.java new file mode 100644 index 0000000000..c519802568 --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageContentHandler.java @@ -0,0 +1,53 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2019 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.vendorsoftwareproduct.impl.onboarding; + +import java.util.HashMap; +import java.util.Map; +import java.util.Set; +import org.apache.commons.io.FilenameUtils; +import org.openecomp.core.utilities.file.FileContentHandler; + +public class OnboardingPackageContentHandler extends FileContentHandler { + + public OnboardingPackageContentHandler() { + } + + public OnboardingPackageContentHandler(final FileContentHandler other) { + super(other); + } + + public Map getFileAndSignaturePathMap(final Set signatureExtensionSet) { + final Map files = getFiles(); + final Map signedFilePairMap = new HashMap<>(); + files.keySet().stream() + .filter(filePath -> !signatureExtensionSet.contains(FilenameUtils.getExtension(filePath))) + .forEach(filePath -> { + final String filePathWithoutExtension = FilenameUtils.removeExtension(filePath); + signatureExtensionSet.stream() + .map(extension -> String.format("%s.%s", filePathWithoutExtension, extension)) + .filter(files::containsKey) + .forEach(file -> signedFilePairMap.put(filePath, file)); + signedFilePairMap.putIfAbsent(filePath, null); + }); + return signedFilePairMap; + } + +} diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageProcessor.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageProcessor.java index 1d502547dc..20d8e26cb0 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageProcessor.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/onboarding/OnboardingPackageProcessor.java @@ -25,8 +25,9 @@ import static org.openecomp.sdc.common.errors.Messages.PACKAGE_INVALID_EXTENSION import static org.openecomp.sdc.common.errors.Messages.PACKAGE_MISSING_INTERNAL_PACKAGE; import static org.openecomp.sdc.common.errors.Messages.PACKAGE_PROCESS_ERROR; import static org.openecomp.sdc.common.errors.Messages.PACKAGE_PROCESS_INTERNAL_PACKAGE_ERROR; +import static org.openecomp.sdc.vendorsoftwareproduct.security.SecurityManager.ALLOWED_CERTIFICATE_EXTENSIONS; +import static org.openecomp.sdc.vendorsoftwareproduct.security.SecurityManager.ALLOWED_SIGNATURE_EXTENSIONS; -import com.google.common.collect.ImmutableSet; import java.nio.ByteBuffer; import java.util.HashSet; import java.util.Map; @@ -43,15 +44,12 @@ import org.openecomp.sdc.datatypes.error.ErrorLevel; import org.openecomp.sdc.datatypes.error.ErrorMessage; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; -import org.openecomp.sdc.vendorsoftwareproduct.exception.OnboardPackageException; import org.openecomp.sdc.vendorsoftwareproduct.types.OnboardPackage; import org.openecomp.sdc.vendorsoftwareproduct.types.OnboardPackageInfo; import org.openecomp.sdc.vendorsoftwareproduct.types.OnboardSignedPackage; public class OnboardingPackageProcessor { private static final Logger LOGGER = LoggerFactory.getLogger(OnboardingPackageProcessor.class); - private static final Set ALLOWED_SIGNATURE_EXTENSIONS = ImmutableSet.of("cms"); - private static final Set ALLOWED_CERTIFICATE_EXTENSIONS = ImmutableSet.of("cert", "crt"); private static final String CSAR_EXTENSION = "csar"; private static final String ZIP_EXTENSION = "zip"; @@ -93,11 +91,13 @@ public class OnboardingPackageProcessor { if (hasSignedPackageStructure()) { return processSignedPackage(packageName, packageExtension); } else { - final OnboardPackage onboardPackage = new OnboardPackage(packageName, packageExtension, - ByteBuffer.wrap(packageFileContent), onboardPackageContentHandler); if (packageExtension.equalsIgnoreCase(CSAR_EXTENSION)) { + final OnboardPackage onboardPackage = new OnboardPackage(packageName, packageExtension, + ByteBuffer.wrap(packageFileContent), new OnboardingPackageContentHandler(onboardPackageContentHandler)); return new OnboardPackageInfo(onboardPackage, OnboardingTypesEnum.CSAR); } else if (packageExtension.equalsIgnoreCase(ZIP_EXTENSION)) { + final OnboardPackage onboardPackage = new OnboardPackage(packageName, packageExtension, + ByteBuffer.wrap(packageFileContent), onboardPackageContentHandler); return new OnboardPackageInfo(onboardPackage, OnboardingTypesEnum.ZIP); } } @@ -127,12 +127,13 @@ public class OnboardingPackageProcessor { final String internalPackageBaseName = FilenameUtils.getBaseName(internalPackagePath); final String internalPackageExtension = FilenameUtils.getExtension(internalPackagePath); final byte[] internalPackageContent = onboardPackageContentHandler.getFileContent(internalPackagePath); - final OnboardPackage onboardPackage; try { + final OnboardingPackageContentHandler fileContentHandler = + new OnboardingPackageContentHandler(CommonUtil.getZipContent(internalPackageContent)); onboardPackage = new OnboardPackage(internalPackageBaseName, internalPackageExtension, - internalPackageContent); - } catch (final OnboardPackageException e) { + internalPackageContent, fileContentHandler); + } catch (final ZipException e) { final String message = PACKAGE_PROCESS_INTERNAL_PACKAGE_ERROR.formatMessage(internalPackageName); LOGGER.error(message, e); reportError(ErrorLevel.ERROR, message); diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/BaseOrchestrationTemplateHandler.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/BaseOrchestrationTemplateHandler.java index 23cf41c5d5..68309106cd 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/BaseOrchestrationTemplateHandler.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/BaseOrchestrationTemplateHandler.java @@ -44,7 +44,7 @@ public abstract class BaseOrchestrationTemplateHandler implements OrchestrationT final OnboardPackage onboardPackage = onboardPackageInfo.getOnboardPackage(); final UploadFileResponse uploadFileResponse = new UploadFileResponse(); uploadFileResponse.setOnboardingType(getHandlerType()); - if (isFileFileToUploadEmpty(onboardPackage, uploadFileResponse, candidateService)) { + if (isFileToUploadEmpty(onboardPackage, uploadFileResponse, candidateService)) { return uploadFileResponse; } @@ -74,9 +74,9 @@ public abstract class BaseOrchestrationTemplateHandler implements OrchestrationT final OnboardPackageInfo onboardPackageInfo, final CandidateService candidateService); - private boolean isFileFileToUploadEmpty(final OnboardPackage onboardPackage, - final UploadFileResponse uploadFileResponse, - final CandidateService candidateService) { + private boolean isFileToUploadEmpty(final OnboardPackage onboardPackage, + final UploadFileResponse uploadFileResponse, + final CandidateService candidateService) { final ByteArrayInputStream fileToUpload = new ByteArrayInputStream( onboardPackage.getFileContent().array()); Optional errorMessage = diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/ONAPCsarValidator.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/ONAPCsarValidator.java index ceee5facd0..6597beb9f5 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/ONAPCsarValidator.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/ONAPCsarValidator.java @@ -20,7 +20,22 @@ package org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation; +import static org.openecomp.core.validation.errors.ErrorMessagesFormatBuilder.getErrorWithParameters; +import static org.openecomp.sdc.tosca.csar.CSARConstants.ELIGBLE_FOLDERS; +import static org.openecomp.sdc.tosca.csar.CSARConstants.ELIGIBLE_FILES; +import static org.openecomp.sdc.tosca.csar.CSARConstants.MAIN_SERVICE_TEMPLATE_MF_FILE_NAME; +import static org.openecomp.sdc.tosca.csar.CSARConstants.MAIN_SERVICE_TEMPLATE_YAML_FILE_NAME; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.ENTRY_DEFINITIONS; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.TOSCA_META_PATH_FILE_NAME; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; import java.util.Set; +import java.util.stream.Collectors; import org.openecomp.core.utilities.file.FileContentHandler; import org.openecomp.sdc.common.errors.Messages; import org.openecomp.sdc.common.utils.SdcCommon; @@ -32,21 +47,6 @@ import org.openecomp.sdc.tosca.csar.Manifest; import org.openecomp.sdc.tosca.csar.ONAPManifestOnboarding; import org.openecomp.sdc.tosca.csar.OnboardingToscaMetadata; import org.openecomp.sdc.tosca.csar.ToscaMetadata; -import java.io.IOException; -import java.io.InputStream; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.stream.Collectors; - -import static org.openecomp.core.validation.errors.ErrorMessagesFormatBuilder.getErrorWithParameters; -import static org.openecomp.sdc.tosca.csar.CSARConstants.ELIGBLE_FOLDERS; -import static org.openecomp.sdc.tosca.csar.CSARConstants.ELIGIBLE_FILES; -import static org.openecomp.sdc.tosca.csar.CSARConstants.MAIN_SERVICE_TEMPLATE_MF_FILE_NAME; -import static org.openecomp.sdc.tosca.csar.CSARConstants.MAIN_SERVICE_TEMPLATE_YAML_FILE_NAME; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ENTRY_DEFINITIONS; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_PATH_FILE_NAME; class ONAPCsarValidator implements Validator { @@ -56,7 +56,6 @@ class ONAPCsarValidator implements Validator { @Override public Map> validateContent(final FileContentHandler contentHandler) { - Map> errors = new HashMap<>(); validateManifest(contentHandler); validateMetadata(contentHandler); @@ -72,10 +71,10 @@ class ONAPCsarValidator implements Validator { private void validateMetadata(FileContentHandler contentMap){ if (!validateTOSCAYamlFileInRootExist(contentMap, MAIN_SERVICE_TEMPLATE_YAML_FILE_NAME)) { - try (InputStream metaFileContent = contentMap.getFileContentAsStream(TOSCA_META_PATH_FILE_NAME)) { + try (InputStream metaFileContent = contentMap.getFileContentAsStream(TOSCA_META_PATH_FILE_NAME.getName())) { ToscaMetadata onboardingToscaMetadata = OnboardingToscaMetadata.parseToscaMetadataFile(metaFileContent); - String entryDefinitionsPath = onboardingToscaMetadata.getMetaEntries().get(TOSCA_META_ENTRY_DEFINITIONS); + String entryDefinitionsPath = onboardingToscaMetadata.getMetaEntries().get(ENTRY_DEFINITIONS.getName()); if (entryDefinitionsPath != null) { validateFileExist(contentMap, entryDefinitionsPath); } else { @@ -92,24 +91,23 @@ class ONAPCsarValidator implements Validator { } } - private void validateManifest(FileContentHandler contentMap) { - + private void validateManifest(final FileContentHandler contentMap) { if (!validateFileExist(contentMap, MAIN_SERVICE_TEMPLATE_MF_FILE_NAME)) { return; } - try (InputStream fileContent = contentMap.getFileContentAsStream(MAIN_SERVICE_TEMPLATE_MF_FILE_NAME)) { - - Manifest onboardingManifest = new ONAPManifestOnboarding(); + try (final InputStream fileContent = contentMap.getFileContentAsStream(MAIN_SERVICE_TEMPLATE_MF_FILE_NAME)) { + final Manifest onboardingManifest = new ONAPManifestOnboarding(); onboardingManifest.parse(fileContent); if (!onboardingManifest.isValid()) { - onboardingManifest.getErrors().forEach(error -> uploadFileErrors.add(new ErrorMessage(ErrorLevel.ERROR, - error))); + onboardingManifest.getErrors() + .forEach(error -> uploadFileErrors.add(new ErrorMessage(ErrorLevel.ERROR, error))); } - - } catch (IOException e) { - // convert to runtime to keep the throws unchanged - throw new RuntimeException("Failed to validateContent manifest", e); + } catch (final IOException ex) { + final String errorMessage = + Messages.MANIFEST_UNEXPECTED_ERROR.formatMessage(MAIN_SERVICE_TEMPLATE_MF_FILE_NAME, ex.getMessage()); + uploadFileErrors.add(new ErrorMessage(ErrorLevel.ERROR, errorMessage)); + logger.error(errorMessage, ex); } } diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/SOL004MetaDirectoryValidator.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/SOL004MetaDirectoryValidator.java index 6274a54a58..9481a021e2 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/SOL004MetaDirectoryValidator.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/SOL004MetaDirectoryValidator.java @@ -20,7 +20,38 @@ package org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation; + +import static org.openecomp.sdc.tosca.csar.CSARConstants.CSAR_VERSION_1_0; +import static org.openecomp.sdc.tosca.csar.CSARConstants.CSAR_VERSION_1_1; +import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_METADATA_LIMIT; +import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_PNF_METADATA; +import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_VNF_METADATA; +import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_MANIFEST_FILE_EXT; +import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_TYPE_PNF; +import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_TYPE_VNF; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.CREATED_BY_ENTRY; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.CSAR_VERSION_ENTRY; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.ENTRY_DEFINITIONS; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.ETSI_ENTRY_CERTIFICATE; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.ETSI_ENTRY_MANIFEST; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.TOSCA_META_FILE_VERSION; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.TOSCA_META_FILE_VERSION_ENTRY; +import static org.openecomp.sdc.tosca.csar.ToscaMetaEntry.TOSCA_META_PATH_FILE_NAME; +import static org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.NonManoArtifactType.ONAP_PM_DICTIONARY; +import static org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.NonManoArtifactType.ONAP_VES_EVENTS; + +import java.io.IOException; import java.io.InputStream; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.concurrent.CopyOnWriteArrayList; +import java.util.stream.Collectors; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.io.FilenameUtils; import org.openecomp.core.impl.ToscaDefinitionImportHandler; @@ -35,42 +66,15 @@ import org.openecomp.sdc.logging.api.LoggerFactory; import org.openecomp.sdc.tosca.csar.Manifest; import org.openecomp.sdc.tosca.csar.OnboardingToscaMetadata; import org.openecomp.sdc.tosca.csar.SOL004ManifestOnboarding; +import org.openecomp.sdc.tosca.csar.ToscaMetaEntry; import org.openecomp.sdc.tosca.csar.ToscaMetadata; +import org.openecomp.sdc.vendorsoftwareproduct.impl.onboarding.OnboardingPackageContentHandler; +import org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.exception.MissingCertificateException; import org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.exceptions.InvalidManifestMetadataException; -import java.io.IOException; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Optional; -import java.util.Set; -import java.util.stream.Collectors; +import org.openecomp.sdc.vendorsoftwareproduct.security.SecurityManager; +import org.openecomp.sdc.vendorsoftwareproduct.security.SecurityManagerException; import org.yaml.snakeyaml.Yaml; -import static org.openecomp.sdc.tosca.csar.CSARConstants.CSAR_VERSION_1_0; -import static org.openecomp.sdc.tosca.csar.CSARConstants.CSAR_VERSION_1_1; -import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_METADATA_LIMIT; -import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_PNF_METADATA; -import static org.openecomp.sdc.tosca.csar.CSARConstants.MANIFEST_VNF_METADATA; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_MANIFEST_FILE_EXT; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ETSI_ENTRY_CERTIFICATE; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_FILE_VERSION_ENTRY; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_CREATED_BY_ENTRY; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_CSAR_VERSION_ENTRY; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ETSI_ENTRY_CHANGE_LOG; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ENTRY_DEFINITIONS; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ETSI_ENTRY_LICENSES; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ETSI_ENTRY_MANIFEST; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_ETSI_ENTRY_TESTS; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_FILE_VERSION; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_META_PATH_FILE_NAME; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_TYPE_PNF; -import static org.openecomp.sdc.tosca.csar.CSARConstants.TOSCA_TYPE_VNF; -import static org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.NonManoArtifactType.ONAP_PM_DICTIONARY; -import static org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.NonManoArtifactType.ONAP_VES_EVENTS; - /** * Validates the contents of the package to ensure it complies with the "CSAR with TOSCA-Metadata directory" structure * as defined in ETSI GS NFV-SOL 004 v2.6.1. @@ -81,28 +85,42 @@ class SOL004MetaDirectoryValidator implements Validator { private static final String MANIFEST_SOURCE = "Source"; private static final String MANIFEST_NON_MANO_SOURCE = "Non-MANO Source"; - private final List errorsByFile = new ArrayList<>(); - private FileContentHandler contentHandler; + private final List errorsByFile = new CopyOnWriteArrayList<>(); + private final SecurityManager securityManager = SecurityManager.getInstance(); + private OnboardingPackageContentHandler contentHandler; private Set folderList; private ToscaMetadata toscaMetadata; @Override - public Map> validateContent(final FileContentHandler contentHandler) { - this.contentHandler = contentHandler; + public Map> validateContent(final FileContentHandler fileContentHandler) { + this.contentHandler = (OnboardingPackageContentHandler) fileContentHandler; this.folderList = contentHandler.getFolderList(); parseToscaMetadata(); verifyMetadataFile(); + + if (packageHasCertificate()) { + verifySignedFiles(); + } return Collections.unmodifiableMap(getAnyValidationErrors()); } + private boolean packageHasCertificate() { + final String certificatePath = getCertificatePath().orElse(null); + return contentHandler.containsFile(certificatePath); + } + + private Optional getCertificatePath() { + return toscaMetadata.getEntry(ETSI_ENTRY_CERTIFICATE); + } + /** - * Parses the {@link org.openecomp.sdc.tosca.csar.CSARConstants#TOSCA_META_PATH_FILE_NAME} file + * Parses the {@link ToscaMetaEntry#TOSCA_META_PATH_FILE_NAME;} file */ private void parseToscaMetadata() { try { toscaMetadata = OnboardingToscaMetadata - .parseToscaMetadataFile(contentHandler.getFileContentAsStream(TOSCA_META_PATH_FILE_NAME)); + .parseToscaMetadataFile(contentHandler.getFileContentAsStream(TOSCA_META_PATH_FILE_NAME.getName())); } catch (final IOException e) { reportError(ErrorLevel.ERROR, Messages.METADATA_PARSER_INTERNAL.getErrorMessage()); LOGGER.error(Messages.METADATA_PARSER_INTERNAL.getErrorMessage(), e.getMessage(), e); @@ -118,17 +136,43 @@ class SOL004MetaDirectoryValidator implements Validator { } } + private void verifySignedFiles() { + final Map signedFileMap = contentHandler.getFileAndSignaturePathMap(SecurityManager.ALLOWED_SIGNATURE_EXTENSIONS); + final String packageCertificatePath = getCertificatePath().orElse(null); + final byte[] packageCert = contentHandler.getFileContent(packageCertificatePath); + if(packageCert == null) { + throw new MissingCertificateException("Expected package certificate"); + } + signedFileMap.entrySet().stream().filter(entry -> entry.getValue() != null).forEach(entry -> { + final String filePath = entry.getKey(); + final String fileSignaturePath = entry.getValue(); + final byte[] fileBytes = contentHandler.getFileContent(filePath); + final byte[] fileSignatureBytes = contentHandler.getFileContent(fileSignaturePath); + try { + if (!securityManager.verifySignedData(fileSignatureBytes, packageCert, fileBytes)) { + reportError(ErrorLevel.ERROR, + Messages.ARTIFACT_INVALID_SIGNATURE.formatMessage(fileSignaturePath, filePath)); + } + } catch (final SecurityManagerException e) { + final String errorMessage = Messages.ARTIFACT_SIGNATURE_VALIDATION_ERROR + .formatMessage(fileSignaturePath, filePath, packageCertificatePath, e.getMessage()); + reportError(ErrorLevel.ERROR, errorMessage); + LOGGER.error(errorMessage, e); + } + }); + } + private void verifyManifestNameAndExtension() { final Map entries = toscaMetadata.getMetaEntries(); - final String manifestFileName = getFileName(entries.get(TOSCA_META_ETSI_ENTRY_MANIFEST)); - final String manifestExtension = getFileExtension(entries.get(TOSCA_META_ETSI_ENTRY_MANIFEST)); - final String mainDefinitionFileName = getFileName(entries.get(TOSCA_META_ENTRY_DEFINITIONS)); + final String manifestFileName = getFileName(entries.get(ETSI_ENTRY_MANIFEST.getName())); + final String manifestExtension = getFileExtension(entries.get(ETSI_ENTRY_MANIFEST.getName())); + final String mainDefinitionFileName = getFileName(entries.get(ENTRY_DEFINITIONS.getName())); if (!(TOSCA_MANIFEST_FILE_EXT).equals(manifestExtension)) { reportError(ErrorLevel.ERROR, Messages.MANIFEST_INVALID_EXT.getErrorMessage()); } if (!mainDefinitionFileName.equals(manifestFileName)) { reportError(ErrorLevel.ERROR, String.format(Messages.MANIFEST_INVALID_NAME.getErrorMessage(), - manifestFileName, mainDefinitionFileName)); + manifestFileName, mainDefinitionFileName)); } } @@ -140,90 +184,99 @@ class SOL004MetaDirectoryValidator implements Validator { return FilenameUtils.getBaseName(filePath); } - private boolean hasETSIMetadata(){ + private boolean hasETSIMetadata() { final Map entries = toscaMetadata.getMetaEntries(); - return hasEntry(entries, TOSCA_META_FILE_VERSION_ENTRY) - && hasEntry(entries, TOSCA_META_CSAR_VERSION_ENTRY) - && hasEntry(entries, TOSCA_META_CREATED_BY_ENTRY); + return hasEntry(entries, TOSCA_META_FILE_VERSION_ENTRY.getName()) + && hasEntry(entries, CSAR_VERSION_ENTRY.getName()) + && hasEntry(entries, CREATED_BY_ENTRY.getName()); } private boolean hasEntry(final Map entries, final String mandatoryEntry) { if (!entries.containsKey(mandatoryEntry)) { - reportError(ErrorLevel.ERROR, String.format(Messages.METADATA_MISSING_ENTRY.getErrorMessage(),mandatoryEntry)); + reportError(ErrorLevel.ERROR, + String.format(Messages.METADATA_MISSING_ENTRY.getErrorMessage(), mandatoryEntry)); return false; } return true; } private void handleMetadataEntries() { - for(final Map.Entry entry: toscaMetadata.getMetaEntries().entrySet()){ - handleEntry(entry); - } + toscaMetadata.getMetaEntries().entrySet().parallelStream().forEach(this::handleEntry); } private void handleEntry(final Map.Entry entry) { final String key = entry.getKey(); + final ToscaMetaEntry toscaMetaEntry = ToscaMetaEntry.parse(entry.getKey()).orElse(null); + if (toscaMetaEntry == null) { + reportError(ErrorLevel.ERROR, Messages.METADATA_UNSUPPORTED_ENTRY.formatMessage(key)); + LOGGER.warn(Messages.METADATA_UNSUPPORTED_ENTRY.getErrorMessage(), key); + return; + } final String value = entry.getValue(); - switch (key){ + + switch (toscaMetaEntry) { case TOSCA_META_FILE_VERSION_ENTRY: - case TOSCA_META_CSAR_VERSION_ENTRY: - case TOSCA_META_CREATED_BY_ENTRY: + case CSAR_VERSION_ENTRY: + case CREATED_BY_ENTRY: verifyMetadataEntryVersions(key, value); break; - case TOSCA_META_ENTRY_DEFINITIONS: + case ENTRY_DEFINITIONS: validateDefinitionFile(value); break; - case TOSCA_META_ETSI_ENTRY_MANIFEST: + case ETSI_ENTRY_MANIFEST: validateManifestFile(value); break; - case TOSCA_META_ETSI_ENTRY_CHANGE_LOG: + case ETSI_ENTRY_CHANGE_LOG: validateChangeLog(value); break; - case TOSCA_META_ETSI_ENTRY_TESTS: - case TOSCA_META_ETSI_ENTRY_LICENSES: + case ETSI_ENTRY_TESTS: + case ETSI_ENTRY_LICENSES: validateOtherEntries(entry); break; - case TOSCA_META_ETSI_ENTRY_CERTIFICATE: - validateOtherEntries(value); + case ETSI_ENTRY_CERTIFICATE: + validateCertificate(value); break; default: - reportError(ErrorLevel.ERROR, Messages.METADATA_UNSUPPORTED_ENTRY.formatMessage(entry.toString())); - LOGGER.warn(Messages.METADATA_UNSUPPORTED_ENTRY.getErrorMessage(), entry); + reportError(ErrorLevel.ERROR, Messages.METADATA_UNSUPPORTED_ENTRY.formatMessage(key)); + LOGGER.warn(Messages.METADATA_UNSUPPORTED_ENTRY.getErrorMessage(), key); break; } } private void validateOtherEntries(final Map.Entry entry) { - final String manifestFile = toscaMetadata.getMetaEntries().get(TOSCA_META_ETSI_ENTRY_MANIFEST); - if(verifyFileExists(contentHandler.getFileList(), manifestFile)){ + final String manifestFile = toscaMetadata.getMetaEntries().get(ETSI_ENTRY_MANIFEST.getName()); + if (verifyFileExists(contentHandler.getFileList(), manifestFile)) { final Manifest onboardingManifest = new SOL004ManifestOnboarding(); onboardingManifest.parse(contentHandler.getFileContentAsStream(manifestFile)); final Optional resourceType = onboardingManifest.getType(); - if (resourceType.isPresent() && resourceType.get() == ResourceTypeEnum.VF){ + if (resourceType.isPresent() && resourceType.get() == ResourceTypeEnum.VF) { final String value = (String) entry.getValue(); validateOtherEntries(value); } else { final String key = (String) entry.getKey(); - reportError(ErrorLevel.ERROR, String.format(Messages.MANIFEST_INVALID_PNF_METADATA.getErrorMessage(), key)); + reportError(ErrorLevel.ERROR, + String.format(Messages.MANIFEST_INVALID_PNF_METADATA.getErrorMessage(), key)); } } } private void verifyMetadataEntryVersions(final String key, final String version) { - if(!(isValidTOSCAVersion(key,version) || isValidCSARVersion(key, version) || TOSCA_META_CREATED_BY_ENTRY.equals(key))) { - errorsByFile.add(new ErrorMessage(ErrorLevel.ERROR, String.format(Messages.METADATA_INVALID_VERSION.getErrorMessage(), key, version))); + if (!(isValidTOSCAVersion(key, version) || isValidCSARVersion(key, version) + || CREATED_BY_ENTRY.getName().equals(key))) { + errorsByFile.add(new ErrorMessage(ErrorLevel.ERROR, + String.format(Messages.METADATA_INVALID_VERSION.getErrorMessage(), key, version))); LOGGER.error("{}: key {} - value {} ", Messages.METADATA_INVALID_VERSION.getErrorMessage(), key, version); } } - private boolean isValidTOSCAVersion(final String key, final String version){ - return TOSCA_META_FILE_VERSION_ENTRY.equals(key) && TOSCA_META_FILE_VERSION.equals(version); + private boolean isValidTOSCAVersion(final String key, final String version) { + return TOSCA_META_FILE_VERSION_ENTRY.getName().equals(key) && TOSCA_META_FILE_VERSION.getName().equals(version); } - private boolean isValidCSARVersion(final String value, final String version){ - return TOSCA_META_CSAR_VERSION_ENTRY.equals(value) && (CSAR_VERSION_1_1.equals(version) - || CSAR_VERSION_1_0.equals(version)); + private boolean isValidCSARVersion(final String value, final String version) { + return CSAR_VERSION_ENTRY.getName().equals(value) && (CSAR_VERSION_1_1.equals(version) + || CSAR_VERSION_1_0.equals(version)); } private void validateDefinitionFile(final String filePath) { @@ -274,9 +327,9 @@ class SOL004MetaDirectoryValidator implements Validator { MANIFEST_METADATA_LIMIT)); } if (isPnfMetadata(metadata)) { - handlePnfMetadataEntries(metadata); + handleMetadataEntries(metadata, MANIFEST_PNF_METADATA); } else { - handleVnfMetadataEntries(metadata); + handleMetadataEntries(metadata, MANIFEST_VNF_METADATA); } } @@ -292,26 +345,18 @@ class SOL004MetaDirectoryValidator implements Validator { return TOSCA_TYPE_PNF.equals(expectedMetadataType); } - private void handleVnfMetadataEntries(final Map metadata) { - for (final String requiredVnfEntry : MANIFEST_VNF_METADATA) { - if (!metadata.containsKey(requiredVnfEntry)) { - reportError(ErrorLevel.ERROR, String.format(Messages.MANIFEST_METADATA_MISSING_ENTRY.getErrorMessage(), requiredVnfEntry)); - } - } - } - - private void handlePnfMetadataEntries(final Map metadata) { - for (final String requiredPnfEntry : MANIFEST_PNF_METADATA) { - if (!metadata.containsKey(requiredPnfEntry)) { - reportError(ErrorLevel.ERROR, String.format(Messages.MANIFEST_METADATA_MISSING_ENTRY.getErrorMessage(), requiredPnfEntry)); - } - } + private void handleMetadataEntries(final Map metadata, final Set manifestMetadata) { + manifestMetadata.stream() + .filter(requiredEntry -> !metadata.containsKey(requiredEntry)) + .forEach(requiredEntry -> + reportError(ErrorLevel.ERROR, + String.format(Messages.MANIFEST_METADATA_MISSING_ENTRY.getErrorMessage(), requiredEntry))); } /** * Checks if all manifest sources exists within the package and if all package files are being referred. * - * @param onboardingManifest The manifest + * @param onboardingManifest The manifest */ private void verifyManifestSources(final Manifest onboardingManifest) { final Set packageFiles = contentHandler.getFileList(); @@ -338,10 +383,10 @@ class SOL004MetaDirectoryValidator implements Validator { } /** - * Validates if a YAML file has the correct extension, is not empty and the content is a valid YAML. - * Reports each error found. + * Validates if a YAML file has the correct extension, is not empty and the content is a valid YAML. Reports each + * error found. * - * @param filePath the file path inside the package + * @param filePath the file path inside the package */ private void validateYaml(final String filePath) { if (!contentHandler.containsFile(filePath)) { @@ -366,34 +411,43 @@ class SOL004MetaDirectoryValidator implements Validator { } /** - * Checks if all package files are referred in manifest. - * Reports missing references. + * Checks if all package files are referred in manifest. Reports missing references. * - * @param referredFileSet the list of referred files path - * @param packageFileSet the list of package file path + * @param referredFileSet the list of referred files path + * @param packageFileSet the list of package file path */ private void verifyFilesBeingReferred(final Set referredFileSet, final Set packageFileSet) { packageFileSet.forEach(filePath -> { if (!referredFileSet.contains(filePath)) { - reportError(ErrorLevel.ERROR, String.format(Messages.MISSING_MANIFEST_REFERENCE.getErrorMessage(), filePath)); + reportError(ErrorLevel.ERROR, + String.format(Messages.MISSING_MANIFEST_REFERENCE.getErrorMessage(), filePath)); } }); } - private List filterSources(final List source){ + private List filterSources(final List source) { return source.stream() - .filter(this::externalFileReferences) - .collect(Collectors.toList()); + .filter(this::externalFileReferences) + .collect(Collectors.toList()); } - private boolean externalFileReferences(final String filePath){ + private boolean externalFileReferences(final String filePath) { return !filePath.contains("://"); } private void validateOtherEntries(final String folderPath) { - if(!verifyFoldersExist(folderList, folderPath)) + if (!verifyFoldersExist(folderList, folderPath)) { reportError(ErrorLevel.ERROR, String.format(Messages.METADATA_MISSING_OPTIONAL_FOLDERS.getErrorMessage(), - folderPath)); + folderPath)); + } + } + + private void validateCertificate(final String file) { + final Set packageFiles = contentHandler.getFileList(); + if (!verifyFileExist(packageFiles, file)) { + reportError(ErrorLevel.ERROR, + String.format(Messages.MISSING_METADATA_FILES.getErrorMessage(), file, file)); + } } private boolean verifyFoldersExist(final Set folderList, final String folderPath) { @@ -402,14 +456,19 @@ class SOL004MetaDirectoryValidator implements Validator { private void verifyFilesExist(final Set existingFiles, final List sources, final String type) { sources.forEach(file -> { - if(!existingFiles.contains(file)){ - reportError(ErrorLevel.ERROR, String.format(Messages.MISSING_MANIFEST_SOURCE.getErrorMessage(), type, file)); + if (!existingFiles.contains(file)) { + reportError(ErrorLevel.ERROR, + String.format(Messages.MISSING_MANIFEST_SOURCE.getErrorMessage(), type, file)); } }); } + private boolean verifyFileExist(final Set existingFiles, final String file) { + return existingFiles.contains(file); + } + private void validateChangeLog(final String filePath) { - if(!verifyFileExists(contentHandler.getFileList(), filePath)){ + if (!verifyFileExists(contentHandler.getFileList(), filePath)) { reportError(ErrorLevel.ERROR, String.format(Messages.MISSING_METADATA_FILES.getErrorMessage(), filePath)); } } diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/exception/MissingCertificateException.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/exception/MissingCertificateException.java new file mode 100644 index 0000000000..620ff345ad --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/impl/orchestration/csar/validation/exception/MissingCertificateException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2019 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.vendorsoftwareproduct.impl.orchestration.csar.validation.exception; + +public class MissingCertificateException extends RuntimeException { + + public MissingCertificateException(String s) { + super(s); + } +} diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java index 2928905603..53c2e1d0bc 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java @@ -72,6 +72,8 @@ import org.openecomp.sdc.logging.api.LoggerFactory; public class SecurityManager { private static final String CERTIFICATE_DEFAULT_LOCATION = "cert"; + public static final Set ALLOWED_SIGNATURE_EXTENSIONS = ImmutableSet.of("cms"); + public static final Set ALLOWED_CERTIFICATE_EXTENSIONS = ImmutableSet.of("cert", "crt"); private Logger logger = LoggerFactory.getLogger(SecurityManager.class); private Set trustedCertificates = new HashSet<>(); diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/types/OnboardPackage.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/types/OnboardPackage.java index 60bd5ae0a0..1551cd8a1d 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/types/OnboardPackage.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/types/OnboardPackage.java @@ -22,9 +22,10 @@ package org.openecomp.sdc.vendorsoftwareproduct.types; import java.nio.ByteBuffer; import lombok.Getter; import org.openecomp.core.utilities.file.FileContentHandler; -import org.openecomp.sdc.common.zip.exception.ZipException; import org.openecomp.sdc.common.utils.CommonUtil; +import org.openecomp.sdc.common.zip.exception.ZipException; import org.openecomp.sdc.vendorsoftwareproduct.exception.OnboardPackageException; +import org.openecomp.sdc.vendorsoftwareproduct.impl.onboarding.OnboardingPackageContentHandler; @Getter public class OnboardPackage { @@ -48,14 +49,14 @@ public class OnboardPackage { this.fileExtension = fileExtension; this.fileContent = fileContent; try { - fileContentHandler = CommonUtil.getZipContent(fileContent.array()); + fileContentHandler = new OnboardingPackageContentHandler(CommonUtil.getZipContent(fileContent.array())); } catch (final ZipException e) { throw new OnboardPackageException("Could not read the package content", e); } } - public OnboardPackage(final String packageName, final String packageExtension, final byte[] packageContentBytes) - throws OnboardPackageException { - this(packageName, packageExtension, ByteBuffer.wrap(packageContentBytes)); + public OnboardPackage(final String packageName, final String packageExtension, final byte[] packageContentBytes, + final FileContentHandler fileContentHandler) { + this(packageName, packageExtension, ByteBuffer.wrap(packageContentBytes), fileContentHandler); } } -- cgit 1.2.3-korg