From ad59044d59a02dc26f7a0a58c24a3316c79d16ff Mon Sep 17 00:00:00 2001 From: Krzysztof Kuzmicki Date: Thu, 7 May 2020 13:22:54 +0200 Subject: ROBOT e2e test cases improvements for csar/zip tosca package validation in VNFSDK and SDC Onbarding adding tosca package integrity check SOL004 package security option 1 Issue-ID: INT-1240 Signed-off-by: Krzysztof Kuzmicki Change-Id: Ic9f35fc3cee68975e2899a7a60b6c5cb51e1068d --- .../vnfsdk_validation_template.robot | 53 +++++++++++++++------ robot/resources/vnfsdk_interface.robot | 2 +- robot/testsuites/vnfsdk_validation.robot | 54 ++++++++++++++-------- 3 files changed, 76 insertions(+), 33 deletions(-) diff --git a/robot/resources/test_templates/vnfsdk_validation_template.robot b/robot/resources/test_templates/vnfsdk_validation_template.robot index 56cd0b96..cf7fcf23 100644 --- a/robot/resources/test_templates/vnfsdk_validation_template.robot +++ b/robot/resources/test_templates/vnfsdk_validation_template.robot @@ -22,33 +22,60 @@ ${VNFSDK_CSAR_DIRECTORY} ${VNFSDK_TOSCA_ONBOARDING_PACKAGES_DIRECTORY}/temp *** Keywords *** Validate Onboarding Package - [Arguments] ${package_folder} ${scenario}=onap-vtp ${test_suite_name}=validation ${test_case_name}=csar-validate ${pnf}=TRUE ${secured_package}=FALSE ${negative_test_case}=TRUE ${failed_vnfreqNames}=@{empty_list} ${sdc_response}=@{empty_list} ${secure_type}=CMS ${sdc_cert}=sdc-valid + [Arguments] ${package_folder} ${scenario}=onap-dublin ${test_suite_name}=validation ${test_case_name}=csar-validate ${pnf}=TRUE ${integrity_check}=FALSE ${secured_package}=FALSE ${negative_test_case}=TRUE ${failed_vnfreqNames}=@{empty_list} ${sdc_response}=@{empty_list} ${secure_type}=CMS ${sdc_cert}=sdc-valid + Disable Warnings Create Directory ${VNFSDK_CSAR_DIRECTORY} - ${onboarding_package_path}= Run Keyword If "${secured_package}"=='FALSE' Create CSAR Package ${package_folder} - ... ELSE Create Secured CSAR ZIP Package ${package_folder} ${secure_type} ${sdc_cert} + ${onboarding_package_path}= Run Keyword If "${secured_package}"=='FALSE' Create CSAR Package ${package_folder} ${integrity_check} ${sdc_cert} + ... ELSE Create Secured CSAR Package ${package_folder} ${integrity_check} ${secure_type} ${sdc_cert} + Validate Onboarding Package In SDC ${onboarding_package_path} ${package_folder} ${sdc_cert} ${negative_test_case} ${sdc_response} ${sdc_cert} Run Keyword If "${negative_test_case}"=='FALSE' Validate Valid Onboarding Package ${package_folder} ${onboarding_package_path} ${scenario} ${test_suite_name} ${test_case_name} ${pnf} ${secured_package} ... ELSE Validate Not Valid Onboarding Package ${package_folder} ${onboarding_package_path} ${scenario} ${test_suite_name} ${test_case_name} ${pnf} ${failed_vnfreqNames} ${secured_package} - Validate Onboarding Package In SDC ${onboarding_package_path} ${package_folder} ${sdc_cert} ${negative_test_case} ${sdc_response} ${sdc_cert} - Create CSAR Package + [Arguments] ${package_folder} ${integrity_check} ${cert} + ${csar} = Run Keyword If "${integrity_check}"=='FALSE' Create CSAR Package without integrity check ${package_folder} + ... ELSE Create CSAR Package with integrity check ${package_folder} ${integrity_check} ${cert} + [Return] ${csar} + +Create CSAR Package without integrity check [Arguments] ${package_folder} Empty Directory ${VNFSDK_CSAR_DIRECTORY} ${csar}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.csar Copy File ${GLOBAL_TOSCA_ONBOARDING_PACKAGES_FOLDER}/vnfsdk/${package_folder}.csar ${csar} [Return] ${csar} -Create Secured CSAR ZIP Package - [Arguments] ${package_folder} ${secure_type} ${sdc_cert} - ${zip}= Run Keyword If "${secure_type}"=='CMS' Create Secured CSAR ZIP Package with CMS ${package_folder} ${sdc_cert} - ... ELSE Create Secured CSAR ZIP Package with CMS and CERT ${package_folder} ${sdc_cert} +Create CSAR Package with integrity check + [Arguments] ${package_folder} ${integrity_check} ${cert} + Empty Directory ${VNFSDK_CSAR_DIRECTORY} + ${csar}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.csar + Copy Directory ${GLOBAL_TOSCA_ONBOARDING_PACKAGES_FOLDER}/vnfsdk/${package_folder} ${VNFSDK_CSAR_DIRECTORY} + ${meta}= OperatingSystem.Get File ${VNFSDK_CSAR_DIRECTORY}/${package_folder}/TOSCA-Metadata/TOSCA.meta + ${cert_name}= Get Regexp Matches ${meta} (?<=\ETSI-Entry-Certificate: )(.*) + Copy File /tmp/package-robot-${cert}.cert ${VNFSDK_CSAR_DIRECTORY}/${package_folder}/${cert_name}[0] + ${files} = List Files In Directory ${VNFSDK_CSAR_DIRECTORY}/${package_folder} *.mf absolute + Sign csar manifest file ${integrity_check} ${cert} ${files}[0] + ${rc} = Run and Return RC cd ${VNFSDK_CSAR_DIRECTORY}/${package_folder}; zip -r ${csar} * + Should Be Equal As Integers ${rc} 0 + Remove Directory ${VNFSDK_CSAR_DIRECTORY}/${package_folder} recursive=True + [Return] ${csar} + +Sign csar manifest file + [Arguments] ${integrity_check} ${cert} ${manifest} + ${rc} = Run Keyword If "${integrity_check}"=='CMS_with_cert' Run and Return RC openssl cms -sign -signer /tmp/package-robot-${cert}.cert -inkey /tmp/package-private-robot-${cert}.key -outform PEM -binary -in ${manifest} >> ${manifest} + ... ELSE Run and Return RC openssl cms -sign -signer /tmp/package-robot-${cert}.cert -inkey /tmp/package-private-robot-${cert}.key -outform PEM -binary -nocerts -in ${manifest} >> ${manifest} + Should Be Equal As Integers ${rc} 0 + +Create Secured CSAR Package + [Arguments] ${package_folder} ${integrity_check} ${secure_type} ${sdc_cert} + ${zip}= Run Keyword If "${secure_type}"=='CMS' Create Secured CSAR ZIP Package with CMS ${package_folder} ${integrity_check} ${sdc_cert} + ... ELSE Create Secured CSAR ZIP Package with CMS and CERT ${package_folder} ${integrity_check} ${sdc_cert} [Return] ${zip} Create Secured CSAR ZIP Package with CMS - [Arguments] ${package_folder} ${cert} + [Arguments] ${package_folder} ${integrity_check} ${cert} ${zip}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.zip ${cms}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.cms - ${csar}= Create CSAR Package ${package_folder} + ${csar}= Create CSAR Package ${package_folder} ${integrity_check} ${cert} ${rc} = Run and Return RC openssl cms -sign -signer /tmp/package-robot-${cert}.cert -inkey /tmp/package-private-robot-${cert}.key -outform PEM -binary -in ${csar} -out ${cms} Should Be Equal As Integers ${rc} 0 ${rc} = Run and Return RC cd ${VNFSDK_CSAR_DIRECTORY}; zip -r ${zip} * @@ -56,10 +83,10 @@ Create Secured CSAR ZIP Package with CMS [Return] ${zip} Create Secured CSAR ZIP Package with CMS and CERT - [Arguments] ${package_folder} ${cert} + [Arguments] ${package_folder} ${integrity_check} ${cert} ${zip}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.zip ${cms}= Catenate ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.cms - ${csar}= Create CSAR Package ${package_folder} + ${csar}= Create CSAR Package ${package_folder} ${integrity_check} ${cert} Copy File /tmp/package-robot-${cert}.cert ${VNFSDK_CSAR_DIRECTORY}/${package_folder}.cert ${rc} = Run and Return RC openssl cms -sign -signer /tmp/package-robot-${cert}.cert -inkey /tmp/package-private-robot-${cert}.key -outform PEM -binary -nocerts -in ${csar} -out ${cms} Should Be Equal As Integers ${rc} 0 diff --git a/robot/resources/vnfsdk_interface.robot b/robot/resources/vnfsdk_interface.robot index fea6b31a..c54b330e 100644 --- a/robot/resources/vnfsdk_interface.robot +++ b/robot/resources/vnfsdk_interface.robot @@ -24,7 +24,7 @@ Run VNFSDK Get Request Run VNFSDK Post Request [Documentation] Runs VNFSDK Get request - [Arguments] ${data_path} ${files} ${headers} + [Arguments] ${data_path} ${files} ${session}= Create Session vnfsdk ${VNFSDK_ENDPOINT} ${resp}= Post Request vnfsdk ${data_path} files=${files} Log Received response from VNFSDK ${resp} diff --git a/robot/testsuites/vnfsdk_validation.robot b/robot/testsuites/vnfsdk_validation.robot index 993efca7..48ce94ae 100644 --- a/robot/testsuites/vnfsdk_validation.robot +++ b/robot/testsuites/vnfsdk_validation.robot @@ -9,17 +9,19 @@ Default Tags vnfsdk *** Variables *** -@{allMandatoryEntriesDefinedInTOSCAMeta} r146092 -@{no_pnfd_release_date_time_error} r57019 -@{non_mano_artifact_sets_is_mandatory} r146092 -@{noETSI-Entry-ManifestOrETSI-Entry-Change-Log} r293901 -@{PNFD_missing} SOL004 r10087 r87234 r35854 r15837 r17852 r293901 r146092 r57019 r787965 -@{allMandatoryEntriesDefinedInTOSCAMeta_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests=Artifacts/Tests Manifest contains invalid line : #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location -@{no_pnfd_release_date_time_error_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests=Artifacts/Tests Manifest contains invalid line : #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location -@{non_mano_artifact_sets_is_mandatory_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests=Artifacts/Tests Manifest contains invalid line : #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location -@{noETSI-Entry-ManifestOrETSI-Entry-Change-Log_sdc_message} Manifest contains invalid line : #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location +@{allMandatoryEntriesDefinedInTOSCAMeta} r146092 r130206 +@{no_pnfd_release_date_time_error} r57019 r130206 +@{non_mano_artifact_sets_is_mandatory} r146092 r130206 +@{noETSI-Entry-ManifestOrETSI-Entry-Change-Log} r293901 r130206 +@{PNFD_missing} SOL004 r10087 r87234 r35854 r15837 r17852 r293901 r146092 r57019 r787965 r130206 +@{missing_entry_in_manifest} +@{allMandatoryEntriesDefinedInTOSCAMeta_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests Manifest contains invalid line: 7: #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location +@{no_pnfd_release_date_time_error_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests Invalid Manifest metadata entry: '#The manifest file shall include a list of all files contained in or referenced from the VNF package with their location'.;\nAt line 6: '#The manifest file shall include a list of all files contained in or referenced from the VNF package with their location'. +@{non_mano_artifact_sets_is_mandatory_sdc_message} Following entry not supported in TOSCA.meta Entry-Tests Manifest contains invalid line: 7: #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location +@{noETSI-Entry-ManifestOrETSI-Entry-Change-Log_sdc_message} Manifest contains invalid line: 7: #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location Manifest contains invalid line: 7: #The manifest file shall include a list of all files contained in or referenced from the VNF package with their location @{PNFD_missing_sdc_message} TOSCA.meta file in TOSCA-metadata directory missing entry Created-By @{invalid_certificate} Could not verify signature! +@{missing_entry_in_manifest_sdc_message} 'pnf_main_descriptor.cert' artifact is not being referenced in manifest file *** Test Cases *** @@ -58,42 +60,56 @@ Validate Onboarding PNFD_missing ... Runs VNFSDK validation and comapres with list of expected errors. PNFD_missing failed_vnfreqNames=@{PNFD_missing} sdc_response=@{PNFD_missing_sdc_message} -Validate Onboarding test_SDC_and_VNFSDK_API +Validate Onboarding test_SDC_and_VNFSDK_API, integrity_check CMS_with_cert [Documentation] ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API ... Imports it as csar VSP package to SDC and expects success. ... Runs VNFSDK validation and and expects success. - test_SDC_and_VNFSDK_API negative_test_case=FALSE + test_SDC_and_VNFSDK_API_with_hash negative_test_case=FALSE integrity_check=CMS_with_cert -Validate Onboarding test_SDC_and_VNFSDK_API, secured csar, CMS only, valid certificate +Validate Onboarding test_SDC_and_VNFSDK_API, integrity_check CMS_without_cert + [Documentation] + ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API + ... Imports it as csar VSP package to SDC and expects success. + ... Runs VNFSDK validation and and expects success. + test_SDC_and_VNFSDK_API_with_hash negative_test_case=FALSE integrity_check=CMS_without_cert + +Validate Onboarding package with missing entry in manifest, integrity_check CMS_with_cert + [Documentation] + ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API + ... Imports it as csar VSP package to SDC and expects success. + ... Runs VNFSDK validation and and expects success. + test_SDC_and_VNFSDK_API_missing_entry_in_manifest negative_test_case=TRUE failed_vnfreqNames=@{missing_entry_in_manifest} sdc_response=@{missing_entry_in_manifest_sdc_message} integrity_check=CMS_with_cert + +Validate Onboarding test_SDC_and_VNFSDK_API, secured csar - CMS only - sdc valid certificate, integrity_check CMS_without_cert [Documentation] ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API ... Next sign with certificate that is imported to SDC onabarding POD using CMS only method (CMS file signs csar, zip contains only csar and cms files ) ... Imports it as zip VSP package to SDC and expects success. ... Runs VNFSDK validation and and expects success. - test_SDC_and_VNFSDK_API secured_package=TRUE negative_test_case=FALSE secure_type=CMS sdc_cert=sdc-valid + test_SDC_and_VNFSDK_API_with_hash secured_package=TRUE negative_test_case=FALSE integrity_check=CMS_without_cert secure_type=CMS sdc_cert=sdc-valid -Validate Onboarding test_SDC_and_VNFSDK_API, secured csar, CMS and CERT, valid certificate +Validate Onboarding test_SDC_and_VNFSDK_API, secured csar - CMS and CERT - sdc valid certificate, integrity_check CMS_with_cert [Documentation] ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API ... Next sign with certificate that is imported to SDC onabarding POD using CMS and CERT method (CMS file signs csar, zip contains csar, certificate and cms files ) ... Imports it as zip VSP package to SDC and expects success. ... Runs VNFSDK validation and and expects success. - test_SDC_and_VNFSDK_API secured_package=TRUE negative_test_case=FALSE secure_type=CMS_AND_CERT sdc_cert=sdc-valid + test_SDC_and_VNFSDK_API_with_hash secured_package=TRUE negative_test_case=FALSE integrity_check=CMS_with_cert secure_type=CMS_AND_CERT sdc_cert=sdc-valid -Validate Onboarding test_SDC_and_VNFSDK_API secured csar, CMS only, invalid certificate +Validate Onboarding test_SDC_and_VNFSDK_API, secured csar - CMS only - sdc invalid certificate, integrity_check CMS_without_cert [Documentation] ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API ... Next sign with certificate that is not imported to SDC onabarding POD using CMS only method (CMS file signs csar, zip contains only csar and cms files ) ... Imports it as zip VSP package to SDC and expects error due to issues with certificate validation. ... Runs VNFSDK validation and and expects success. - test_SDC_and_VNFSDK_API secured_package=TRUE negative_test_case=FALSE sdc_response=@{invalid_certificate} secure_type=CMS sdc_cert=sdc-invalid + test_SDC_and_VNFSDK_API_with_hash secured_package=TRUE negative_test_case=FALSE integrity_check=CMS_without_cert sdc_response=@{invalid_certificate} secure_type=CMS sdc_cert=sdc-invalid -Validate Onboarding test_SDC_and_VNFSDK_API secured csar, CMS and CERT, invalid certificate +Validate Onboarding test_SDC_and_VNFSDK_API, secured csar - CMS and CERT - sdc invalid certificate, integrity_check CMS_with_cert [Documentation] ... This test case creates TOSCA csar software package for PNF, based on /var/opt/ONAP/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API ... Next sign with certificate that is not imported to SDC onabarding POD using CMS and CERT method (CMS file signs csar, zip contains csar, certificate and cms files ) ... Imports it as zip VSP package to SDC and expects error due to issues with certificate validation. ... Runs VNFSDK validation and and expects success - test_SDC_and_VNFSDK_API secured_package=TRUE negative_test_case=FALSE sdc_response=@{invalid_certificate} secure_type=CMS_AND_CERT sdc_cert=sdc-invalid + test_SDC_and_VNFSDK_API_with_hash secured_package=TRUE negative_test_case=FALSE integrity_check=CMS_with_cert sdc_response=@{invalid_certificate} secure_type=CMS_AND_CERT sdc_cert=sdc-invalid -- cgit 1.2.3-korg