From 6767596c5b15b75a3f1ae43e169aa88e0de56c3a Mon Sep 17 00:00:00 2001 From: Bartosz Gardziejewski Date: Thu, 17 Sep 2020 14:46:47 +0200 Subject: Fixing R130206 certificate searching mechanism Issue-ID: VNFSDK-595 Signed-off-by: Bartosz Gardziejewski Change-Id: I8dacd924b16812378356b05291229f2097dfcbe1 --- .../VTPValidateCSARR130206IntegrationTest.java | 329 +++++++++++++++++++-- 1 file changed, 298 insertions(+), 31 deletions(-) (limited to 'csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004') diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java index 3eed6c6..cdaef79 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java @@ -49,10 +49,10 @@ public class VTPValidateCSARR130206IntegrationTest { "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + "Use instructions for option 1. Test was created for manual verification." ) - public void manual_shouldValidateProperCsar() throws Exception { + public void manual_shouldValidateProperCsarWithCms() throws Exception { // given - configureTestCase(testCase, "pnf/r130206/csar-option1-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -64,13 +64,31 @@ public class VTPValidateCSARR130206IntegrationTest { @Test @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." + - "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + - "Use instructions for option 1. Test was created for manual verification." + "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + + "Use instructions for option 1. Test was created for manual verification." + ) + public void manual_shouldValidateCsarWithCertificateInToscaEtsiWithValidSignature() throws Exception { + + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isZero(); + } + + @Test + @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." + + "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + + "Use instructions for option 1. Test was created for manual verification." ) - public void manual_shouldValidateCsarWithCertificateInEtsiAndMissingInCMS() throws Exception { + public void manual_shouldValidateCsarWithCertificateInRootWithValidSignature() throws Exception { // given - configureTestCase(testCase, "pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -81,9 +99,10 @@ public class VTPValidateCSARR130206IntegrationTest { } @Test - public void shouldReportWarningForMissingCMSAndHashCodes() throws Exception{ + public void shouldReportWarningForMissingCertInCmsToscaMetaAndRootCatalogAndMissingHashCodesInManifest() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-not-secure-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -92,16 +111,102 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(1); assertThat(convertToMessagesList(errors)).contains( - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" + "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" ); } + @Test + public void shouldReturnNoErrorWhenCertIsOnlyInCmsAndAlgorithmAndHashesAreCorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } @Test - public void shouldReportThatOnlySignatureIsInvalid() throws Exception { + public void shouldReturnNoErrorWhenCertIsOnlyInToscaAndAlgorithmAndHashesAreCorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnNoErrorWhenCertIsOnlyInRootDirectoryAndAlgorithmAndHashesAreCorrect() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-validSection.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInCmsHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Source 'Artifacts/Other/my_script.csh' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInToscaHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Source 'Artifacts/Deployment/Measurements/PM_Dictionary.yml' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInRootDirectoryHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -110,70 +215,232 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(2); assertThat(convertToMessagesList(errors)).contains( - "File has invalid CMS signature!", - "Mismatch between contents of non-mano-artifact-sets and source files of the package" + "Source 'Artifacts/Deployment/Events/RadioNode_Pnf_v1.yaml' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenToscaEtsiEntryCertificatePointToNotExistingFile() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cert file defined by ETSI-Entry-Certificate!", + "Invalid value. Entry [Entry-Certificate]. Artifacts/sample-pnf.cert does not exist" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInTosca() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "File has invalid signature!" ); } @Test - public void shouldReportErrorsForInvalidCsar() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(4); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndInRootDirectory() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-invalid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); - assertThat(errors.size()).isEqualTo(6); + assertThat(errors.size()).isEqualTo(4); assertThat(convertToMessagesList(errors)).contains( - "Unable to find CMS section in manifest!", - "Source 'Definitions/MainServiceTemplate.yaml' has wrong hash!", - "Source 'Artifacts/Other/my_script.csh' has hash, but unable to find algorithm tag!", - "Unable to calculate digest - file missing: Artifacts/NonExisting2.txt", - "Mismatch between contents of non-mano-artifact-sets and source files of the package", - "File has invalid CMS signature!" + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Certificate present in root catalog despite the certificate is included in the signature container", + "File has invalid signature!" ); } @Test - public void shouldReportThanInVnfPackageCertFileWasNotDefined() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndInRootDirectoryAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(5); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Certificate present in root catalog despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInRootDirectory() + throws Exception{ // given - configureTestCase(testCase, "sample2.csar", "vtp-validate-csar-r130206.yaml", false); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); assertThat(convertToMessagesList(errors)).contains( - "Unable to find cert file defined by Entry-Certificate!", - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1", - "Missing. Entry [tosca_definitions_version]" + "Certificate present in root catalog despite the certificate is included in the signature container", + "File has invalid signature!" ); } + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInRootDirectoryAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } @Test - public void shouldReportThanInVnfPackageETSIFileIsMissing() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInToscaAndInRootDirectory() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInToscaAndInRootDirectoryAdnHashIsIncorrect() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-with-no-certificate.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "Source 'Artifacts/Deployment/Yang_module/yang-module1.yang' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnNoErrorWhenCertificateIsLocatedInToscaAndInRootDirectoryHoweverEtsiEntryIsPointingCertificateInRoot() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); assertThat(convertToMessagesList(errors)).contains( - "Unable to find cert file defined by ETSI-Entry-Certificate!", - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInToscaHoweverManifestDoesNotContainsCms() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-no-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cms signature!" ); } + @Test + public void shouldReturnErrorWhenCsarDoesNotContainsCmsAndCertsHoweverManifestContainsHash() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-no-cms-no-cert-with-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cms signature!" + ); + } } -- cgit 1.2.3-korg