Security verification

Change-Id: I759e3698a25dd4f84dc345c3fd4c0d201b75d233
Issue-ID: VNFSDK-395
Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>

7 files changed, 94 insertions, 214 deletions

diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java
deleted file mode 100644
index 801d8cf..0000000
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright 2019 Nokia
- * <p>
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-package org.onap.cvc.csar;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class ZipFileContentValidator {
-
-    public static class CSARErrorCertMissing extends CSARArchive.CSARError {
-        CSARErrorCertMissing() {
-            super("0x1008");
-            this.message = "Missing. Cert file is not available!";
-        }
-    }
-
-    public static class CSARErrorCMSMissing extends CSARArchive.CSARError {
-        CSARErrorCMSMissing() {
-            super("0x1009");
-            this.message = "Missing. CMS file is not available!";
-        }
-    }
-
-    public List<CSARArchive.CSARError> validate(FileArchive.Workspace workspace){
-        final ArrayList<CSARArchive.CSARError> retValue = new ArrayList<>();
-
-        if(!workspace.getPathToCertFile().isPresent()){
-            retValue.add(new CSARErrorCertMissing());
-        }
-
-        if(!workspace.getPathToCmsFile().isPresent()){
-            retValue.add(new CSARErrorCMSMissing());
-        }
-
-        return retValue;
-    }
-}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java
index eafdbde..6e67df9 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java
@@ -22,9 +22,7 @@ import org.onap.cli.fw.error.OnapCommandExecutionFailed;
 import org.onap.cli.fw.input.OnapCommandParameter;
 import org.onap.cvc.csar.CSARArchive;
 import org.onap.cvc.csar.CSARArchive.CSARError;
-import org.onap.cvc.csar.FileArchive;
 import org.onap.cvc.csar.PnfCSARArchive;
-import org.onap.cvc.csar.ZipFileContentValidator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -34,8 +32,6 @@ import java.util.List;
 public abstract class VTPValidateCSARBase extends OnapCommand {
     protected static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARBase.class);
 
-    private final ZipFileContentValidator zipFileContentValidator = new ZipFileContentValidator();
-
     protected abstract void validateCSAR(CSARArchive csar) throws Exception;
 
     protected abstract String getVnfReqsNo();
@@ -52,12 +48,6 @@ public abstract class VTPValidateCSARBase extends OnapCommand {
         try (CSARArchive csar = isPnf ? new PnfCSARArchive(): new CSARArchive()){
 
             csar.init(path);
-
-            FileArchive.Workspace workspace = csar.getWorkspace();
-            if(workspace.isZip()) {
-                errors.addAll(zipFileContentValidator.validate(workspace));
-            }
-
             csar.parse();
 
             errors.addAll(csar.getErrors());
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
index 621ede0..97efd11 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
@@ -36,34 +36,46 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
 
     private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class);
 
-    public static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
+    static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
         CSARErrorInvalidSignature() {
             super("0x3001");
             this.message = "Invalid CSAR signature!";
         }
     }
 
-    @Override
-    protected void validateCSAR(CSARArchive csar) throws OnapCommandException {
+    static class CsarFileNotAvailableError extends CSARArchive.CSARError {
+        CsarFileNotAvailableError() {
+            super("0x3002");
+            this.message = "Missing. Csar file is not available!";
+        }
+    }
 
-        try {
-            final CmsSignatureValidator securityManager = new CmsSignatureValidator();
+    static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError {
+        SignatureWithCertificationOnlyWarning() {
+            super("0x3003");
+            this.message = "Warning. Zip package probably is valid. " +
+                    "It contains only signature with certification cms and csar package. " +
+                    "Unable to verify csar signature.";
+        }
+    }
 
-            FileArchive.Workspace workspace = csar.getWorkspace();
-            final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile();
-            final Optional<Path> pathToCertFile = workspace.getPathToCertFile();
-            final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile();
 
-            if (workspace.isZip() && pathToCsarFile.isPresent() && pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
-                    byte[] csarContent = Files.readAllBytes(pathToCsarFile.get());
-                    byte[] signature = Files.readAllBytes(pathToCmsFile.get());
-                    byte[] publicCertification = Files.readAllBytes(pathToCertFile.get());
+    static class BrokenZipPackageError extends CSARArchive.CSARError {
+        BrokenZipPackageError() {
+            super("0x3004");
+            this.message = "Missing. Unable to find certification files.";
+        }
+    }
 
-                    if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
-                        this.errors.add(new CSARErrorInvalidSignature());
-                    }
-                }
 
+    @Override
+    protected void validateCSAR(CSARArchive csar) throws OnapCommandException {
+
+        try {
+            FileArchive.Workspace workspace = csar.getWorkspace();
+            if (workspace.isZip()) {
+                verifyZipStructure(workspace);
+            }
         } catch (Exception e) {
             LOG.error("Internal VTPValidateCSARR787965 command error", e);
             throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787965 command error. See logs.");
@@ -71,6 +83,35 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
 
     }
 
+    private void verifyZipStructure(FileArchive.Workspace workspace) throws Exception {
+        final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile();
+        final Optional<Path> pathToCertFile = workspace.getPathToCertFile();
+        final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile();
+        if(!pathToCsarFile.isPresent()) {
+            this.errors.add(new CsarFileNotAvailableError());
+        } else {
+            if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
+                verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get());
+            } else if (pathToCmsFile.isPresent()) {
+                this.errors.add(new SignatureWithCertificationOnlyWarning());
+            } else {
+                this.errors.add(new BrokenZipPackageError());
+            }
+        }
+    }
+
+    private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws Exception {
+        final CmsSignatureValidator securityManager = new CmsSignatureValidator();
+
+        byte[] csarContent = Files.readAllBytes(pathToCsarFile);
+        byte[] signature = Files.readAllBytes(pathToCmsFile);
+        byte[] publicCertification = Files.readAllBytes(pathToCertFile);
+
+        if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
+            this.errors.add(new CSARErrorInvalidSignature());
+        }
+    }
+
     @Override
     protected String getVnfReqsNo() {
         return "R787965";
diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java
deleted file mode 100644
index 7da91f8..0000000
--- a/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Copyright 2019 Nokia
- * <p>
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-package org.onap.cvc.csar;
-
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
-
-import java.nio.file.Path;
-import java.util.List;
-import java.util.stream.Collectors;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-@RunWith(MockitoJUnitRunner.class)
-public class ZipFileContentValidatorTest {
-
-    @Mock
-    Path rootFolder;
-    @Mock
-    Path pathToCsarWorkspace;
-    @Mock
-    Path certFile;
-    @Mock
-    Path csarFile;
-    @Mock
-    Path cmsFile;
-
-    private ZipFileContentValidator zipFileContentValidator;
-
-
-    @Before
-    public void setUp(){
-         zipFileContentValidator = new ZipFileContentValidator();
-    }
-
-    @Test
-    public void shouldReportThatCertFileAndCmsFileIsNotAvailable() {
-        // given
-        FileArchive.Workspace workspace = FileArchive.Workspace.forZip(
-                rootFolder,
-                pathToCsarWorkspace,
-                null,
-                null,
-                null
-        );
-
-        // when
-        List<CSARArchive.CSARError> errors = zipFileContentValidator.validate(workspace);
-
-        // then
-        assertThat(errors.size()).isEqualTo(2);
-        assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains(
-                "Missing. Cert file is not available!", "Missing. CMS file is not available!"
-        );
-    }
-
-    @Test
-    public void shouldReportThatCertFileIsNotAvailable() {
-        // given
-        FileArchive.Workspace workspace = FileArchive.Workspace.forZip(
-                rootFolder,
-                pathToCsarWorkspace,
-                null,
-                cmsFile,
-                csarFile
-        );
-
-        // when
-        List<CSARArchive.CSARError> errors = zipFileContentValidator.validate(workspace);
-
-        // then
-        assertThat(errors.size()).isEqualTo(1);
-        assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains(
-                "Missing. Cert file is not available!"
-        );
-    }
-
-    @Test
-    public void shouldReportThatCmsFileIsNotAvailable() {
-        // given
-        FileArchive.Workspace workspace = FileArchive.Workspace.forZip(
-                rootFolder,
-                pathToCsarWorkspace,
-                certFile,
-                null,
-                csarFile
-        );
-
-        // when
-        List<CSARArchive.CSARError> errors = zipFileContentValidator.validate(workspace);
-
-        // then
-        assertThat(errors.size()).isEqualTo(1);
-        assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains(
-                "Missing. CMS file is not available!"
-        );
-    }
-
-    @Test
-    public void shouldNotReportAnyErrorWhenAllFilesAreAvailable() {
-        // given
-        FileArchive.Workspace workspace = FileArchive.Workspace.forZip(
-                rootFolder,
-                pathToCsarWorkspace,
-                certFile,
-                cmsFile,
-                csarFile
-        );
-
-        // when
-        List<CSARArchive.CSARError> errors = zipFileContentValidator.validate(workspace);
-
-        // then
-        assertThat(errors.size()).isEqualTo(0);
-    }
-}
\ No newline at end of file
diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java
index c19fe99..ffbf87e 100644
--- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java
+++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java
@@ -60,6 +60,42 @@ public class VTPValidateCSARR787965IntegrationTest {
     }
 
     @Test
+    public void shouldReportThatZipContainsSignatureWithCertificationFileAndPackageIsProbableValid() throws Exception {
+
+        // given
+        configureTestCase(testCase, "pnf/r787965/signature-and-certificate.zip");
+
+        // when
+        testCase.execute();
+
+        // then
+        List<CSARArchive.CSARError> errors = testCase.getErrors();
+        assertThat(errors.size()).isEqualTo(1);
+        assertThat(convertToMessagesList(errors)).contains(
+                "Warning. Zip package probably is valid. " +
+                        "It contains only signature with certification cms and csar package. " +
+                        "Unable to verify csar signature."
+        );
+    }
+
+    @Test
+    public void shouldReportThatZipPackageIsBroken() throws Exception {
+
+        // given
+        configureTestCase(testCase, "pnf/r787965/broken.zip");
+
+        // when
+        testCase.execute();
+
+        // then
+        List<CSARArchive.CSARError> errors = testCase.getErrors();
+        assertThat(errors.size()).isEqualTo(1);
+        assertThat(convertToMessagesList(errors)).contains(
+                "Missing. Unable to find certification files."
+        );
+    }
+
+    @Test
     public void shouldDoNotReportAnyErrorWhenPackageHasValidSignature() throws Exception {
 
         // given
@@ -73,5 +109,4 @@ public class VTPValidateCSARR787965IntegrationTest {
         assertThat(errors.size()).isEqualTo(0);
     }
 
-
 }
\ No newline at end of file
diff --git a/csarvalidation/src/test/resources/pnf/r787965/broken.zip b/csarvalidation/src/test/resources/pnf/r787965/broken.zip
new file mode 100644
index 0000000..5447a8f
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r787965/broken.zip
diff --git a/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip b/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip
new file mode 100644
index 0000000..47470f4
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip