From 089d8c3fb0a277351a55371dff8c2b27bd3f4ed5 Mon Sep 17 00:00:00 2001 From: Bogumil Zebek Date: Wed, 17 Apr 2019 07:56:27 +0200 Subject: Security TC op2 Change-Id: I247c1223b5731c8dbea1480ca88db1cff78cb633 Issue-ID: VNFSDK-342 Signed-off-by: Zebek Bogumil --- .../java/org/onap/cvc/csar/CsarValidatorTest.java | 15 ++- .../java/org/onap/cvc/csar/FileArchiveTest.java | 69 +++++++++++ .../onap/cvc/csar/ZipFileContentValidatorTest.java | 134 +++++++++++++++++++++ .../VTPValidateCSARR787965IntegrationTest.java | 65 ++++++++++ .../cvc/csar/rsa/RSACertificateValidatorTest.java | 105 ++++++++++++++++ .../src/test/resources/pnf/signed-package.zip | Bin 0 -> 3449 bytes 6 files changed, 387 insertions(+), 1 deletion(-) create mode 100644 csarvalidation/src/test/java/org/onap/cvc/csar/FileArchiveTest.java create mode 100644 csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java create mode 100644 csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java create mode 100644 csarvalidation/src/test/java/org/onap/cvc/csar/rsa/RSACertificateValidatorTest.java create mode 100644 csarvalidation/src/test/resources/pnf/signed-package.zip (limited to 'csarvalidation/src/test') diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java index c441b80..25e36f6 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java @@ -41,7 +41,7 @@ public class CsarValidatorTest { @Test - public void testAllTestCasesForPNF() throws URISyntaxException { + public void testAllTestCasesForPNF_CsarCase() throws URISyntaxException { OnapCli cli = new OnapCli(new String [] { "--product", "onap-vtp", "csar-validate", @@ -52,4 +52,17 @@ public class CsarValidatorTest { assertEquals(0, cli.getExitCode()); } + + @Test + public void testAllTestCasesForPNF_ZipCase() throws URISyntaxException { + OnapCli cli = new OnapCli(new String [] { + "--product", "onap-vtp", + "csar-validate", + "--format", "json", + "--pnf", + "--csar", absoluteFilePath("pnf/signed-package.zip")}); + cli.handle(); + assertEquals(0, cli.getExitCode()); + } + } diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/FileArchiveTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/FileArchiveTest.java new file mode 100644 index 0000000..1ac8073 --- /dev/null +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/FileArchiveTest.java @@ -0,0 +1,69 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.IOException; +import java.net.URISyntaxException; + + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.onap.cvc.csar.cc.sol004.IntegrationTestUtils.absoluteFilePath; + +public class FileArchiveTest { + + @Rule + public TemporaryFolder folder= new TemporaryFolder(); + + @Test + public void shouldUnpackCsarFile() throws URISyntaxException, IOException { + // given + String absolutePath = folder.getRoot().getAbsolutePath(); + + // when + FileArchive.Workspace workspace = new FileArchive(absolutePath).unpack(absoluteFilePath("pnf/r57019/allMandatoryEntriesDefinedInMetadataManifest.csar")); + + // then + assertFalse(workspace.isZip()); + assertTrue(workspace.getRootFolder().isPresent()); + assertTrue(workspace.getPathToCsarFolder().isPresent()); + assertFalse(workspace.getPathToCertFile().isPresent()); + assertFalse(workspace.getPathToCmsFile().isPresent()); + } + + @Test + public void shouldUnpackZipFile() throws URISyntaxException, IOException { + // given + String absolutePath = folder.getRoot().getAbsolutePath(); + + // when + FileArchive.Workspace workspace = new FileArchive(absolutePath).unpack(absoluteFilePath("pnf/signed-package.zip")); + + // then + assertTrue(workspace.isZip()); + assertTrue(workspace.getRootFolder().isPresent()); + assertTrue(workspace.getPathToCsarFolder().isPresent()); + assertTrue(workspace.getPathToCertFile().isPresent()); + assertTrue(workspace.getPathToCmsFile().isPresent()); + } + +} \ No newline at end of file diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java new file mode 100644 index 0000000..7da91f8 --- /dev/null +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java @@ -0,0 +1,134 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +import java.nio.file.Path; +import java.util.List; +import java.util.stream.Collectors; + +import static org.assertj.core.api.Assertions.assertThat; + +@RunWith(MockitoJUnitRunner.class) +public class ZipFileContentValidatorTest { + + @Mock + Path rootFolder; + @Mock + Path pathToCsarWorkspace; + @Mock + Path certFile; + @Mock + Path csarFile; + @Mock + Path cmsFile; + + private ZipFileContentValidator zipFileContentValidator; + + + @Before + public void setUp(){ + zipFileContentValidator = new ZipFileContentValidator(); + } + + @Test + public void shouldReportThatCertFileAndCmsFileIsNotAvailable() { + // given + FileArchive.Workspace workspace = FileArchive.Workspace.forZip( + rootFolder, + pathToCsarWorkspace, + null, + null, + null + ); + + // when + List errors = zipFileContentValidator.validate(workspace); + + // then + assertThat(errors.size()).isEqualTo(2); + assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( + "Missing. Cert file is not available!", "Missing. CMS file is not available!" + ); + } + + @Test + public void shouldReportThatCertFileIsNotAvailable() { + // given + FileArchive.Workspace workspace = FileArchive.Workspace.forZip( + rootFolder, + pathToCsarWorkspace, + null, + cmsFile, + csarFile + ); + + // when + List errors = zipFileContentValidator.validate(workspace); + + // then + assertThat(errors.size()).isEqualTo(1); + assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( + "Missing. Cert file is not available!" + ); + } + + @Test + public void shouldReportThatCmsFileIsNotAvailable() { + // given + FileArchive.Workspace workspace = FileArchive.Workspace.forZip( + rootFolder, + pathToCsarWorkspace, + certFile, + null, + csarFile + ); + + // when + List errors = zipFileContentValidator.validate(workspace); + + // then + assertThat(errors.size()).isEqualTo(1); + assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( + "Missing. CMS file is not available!" + ); + } + + @Test + public void shouldNotReportAnyErrorWhenAllFilesAreAvailable() { + // given + FileArchive.Workspace workspace = FileArchive.Workspace.forZip( + rootFolder, + pathToCsarWorkspace, + certFile, + cmsFile, + csarFile + ); + + // when + List errors = zipFileContentValidator.validate(workspace); + + // then + assertThat(errors.size()).isEqualTo(0); + } +} \ No newline at end of file diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java new file mode 100644 index 0000000..5c11c8a --- /dev/null +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java @@ -0,0 +1,65 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.cc.sol004; + +import org.junit.Before; +import org.junit.Test; +import org.onap.cvc.csar.CSARArchive; + +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.onap.cvc.csar.cc.sol004.IntegrationTestUtils.configureTestCase; +import static org.onap.cvc.csar.cc.sol004.IntegrationTestUtils.convertToMessagesList; + + +public class VTPValidateCSARR787965IntegrationTest { + + private VTPValidateCSARR787965 testCase; + + @Before + public void setUp() { + testCase = new VTPValidateCSARR787965(); + } + + @Test + public void shouldReturnProperRequestNumber() { + assertThat(testCase.getVnfReqsNo()).isEqualTo("R787965"); + } + + @Test + public void shouldReportCsarHasInvalidSignature() throws Exception { + // We will not prepare positive test case, because X509 certification has expiration date and such test will + // stop working in the future. + + // given + configureTestCase(testCase, "pnf/signed-package.zip"); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Invalid CSAR signature!" + ); + } + + +} \ No newline at end of file diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/rsa/RSACertificateValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/rsa/RSACertificateValidatorTest.java new file mode 100644 index 0000000..9a3e124 --- /dev/null +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/rsa/RSACertificateValidatorTest.java @@ -0,0 +1,105 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.rsa; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.junit.MockitoJUnitRunner; + +import java.security.PublicKey; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.*; + +@RunWith(MockitoJUnitRunner.class) +public class RSACertificateValidatorTest { + + @Mock + private X509RsaCertification x509RsaCertification; + + @Mock + private PublicKey publicKey; + + @Test + public void shouldReturnInformationThatCsarHasValidSignature() throws Exception { + + // given + String publicCertificate ="-----BEGIN CERTIFICATE-----\n" + + "MIIDyzCCArMCCQCXF5To+FxujDANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMC\n" + + "SUUxETAPBgNVBAgMCExlaW5zdGVyMQ8wDQYDVQQHDAZEdWJsaW4xETAPBgNVBAoM\n" + + "CEVyaWNzc29uMRwwGgYDVQQLDBNCdXNpbmVzcyBBcmVhIFJhZGlvMSMwIQYDVQQD\n" + + "DBpSb290IGNlcnRpZmljYXRlIGF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYXV0\n" + + "aG9yaXR5QGVyaWNzc29uLmNvbTAeFw0xOTAzMDcyMDA4MDRaFw0xOTA0MDYyMDA4\n" + + "MDRaMIGfMQswCQYDVQQGEwJJRTERMA8GA1UECAwITGVpbnN0ZXIxDzANBgNVBAcM\n" + + "BkR1YmxpbjERMA8GA1UECgwIRXJpY3Nzb24xHDAaBgNVBAsME0J1c2luZXNzIEFy\n" + + "ZWEgUmFkaW8xFzAVBgNVBAMMDlBhY2thZ2Ugc2lnbmVyMSIwIAYJKoZIhvcNAQkB\n" + + "FhNzaWduZXJAZXJpY3Nzb24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" + + "CgKCAQEA1bZWYbM3W9WK7E6brlMWw/pHdYmKrLmqnmyS4QWj6PoSudReX1x1QO+o\n" + + "jlzzlWn15ozgeDtsyQWRQakSkV8IUlywmM99tH7jGejrH87eLYv0IoJONVJLMsuQ\n" + + "chMd/cm0OGwUHHuk7iRnMGlcskp3FPvHlBRgBLrg+40yksJMmpHyS9amrG2/3bSa\n" + + "ssuc3F8ICNtejYVXDg5rIHyKIvD8Jaozf+V8FyFcFkfL7NyIS8rSuHM40vp3jlVO\n" + + "yNDztZ9orTA9Frucxr6y5UIXHd/bmh7YsjihyCoPOwvkfEy/S08S245eKS1zwgcE\n" + + "zkSwPC+XR7HwXoVb63hgBlcJCkUAswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCC\n" + + "nWjpa+JeJj05UfX0tejdnHTotnT4AQfxp1YesG3O7ioIY4Y93/Cj8N+7rzeB392v\n" + + "eUMN2HKXGNRZhVJKs8fdoD/b5OxlwX1BattPS1Oh7HmLYzevOxotrm5YOR4KG2qa\n" + + "Rw/m6jFWxnAovpQTaCOgkuAJyF9l6wlQE4FyzyZMaThObcnLBzuQJjJXKMwaVT6D\n" + + "AQuMP3DRrH3aXlFpqV4bugLy8agSc2w9sF3w4osGZSwPjerJiulncUyBr+cjv1KB\n" + + "IfgzoP3b9frMBZmSpxeT3YzR1wZAh9AterRKAm6EGVxrnRDQ1b/OuW4y2RxQ/Q3G\n" + + "OUU/dbcjLaFvoQsv3aAk\n" + + "-----END CERTIFICATE-----\n"; + + String signature = "r+18GjD74DWNbp1U5zzbw7lB0QI5OXXBReGQ5DmRn/SFqQj0H22omSoolqlmwk8fc6pBfSTQl68yWEztH6m14dKTcYozVFpn1TS0qSgxMYjPJ5N/4+wrhC/70yosLATdc2w1U/9UYeFxP0QbCBSLtH9dDgTfm8e7Y25c7l6jSI+/VZ6b4lno5786y4W/VYeP6ktOvI0qbLtFPLfpxjqJ5idXUspkblhrZ6dHzURTlUWfYTku5NfLoIPL2Hdr8WfTBBTk+TYmAEBGC7J3SY5m1SZOOGElh80CfLGFVtdZ862Sgj2X8hV1isBTEJpczQwdMmid2xzdmZgbnkzFh9F/eQ=="; + byte [] content = new byte[] {'t','e','s','t'}; + + + String cert = "MIIDyzCCArMCCQCXF5To+FxujDANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMC\n" + + "SUUxETAPBgNVBAgMCExlaW5zdGVyMQ8wDQYDVQQHDAZEdWJsaW4xETAPBgNVBAoM\n" + + "CEVyaWNzc29uMRwwGgYDVQQLDBNCdXNpbmVzcyBBcmVhIFJhZGlvMSMwIQYDVQQD\n" + + "DBpSb290IGNlcnRpZmljYXRlIGF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYXV0\n" + + "aG9yaXR5QGVyaWNzc29uLmNvbTAeFw0xOTAzMDcyMDA4MDRaFw0xOTA0MDYyMDA4\n" + + "MDRaMIGfMQswCQYDVQQGEwJJRTERMA8GA1UECAwITGVpbnN0ZXIxDzANBgNVBAcM\n" + + "BkR1YmxpbjERMA8GA1UECgwIRXJpY3Nzb24xHDAaBgNVBAsME0J1c2luZXNzIEFy\n" + + "ZWEgUmFkaW8xFzAVBgNVBAMMDlBhY2thZ2Ugc2lnbmVyMSIwIAYJKoZIhvcNAQkB\n" + + "FhNzaWduZXJAZXJpY3Nzb24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" + + "CgKCAQEA1bZWYbM3W9WK7E6brlMWw/pHdYmKrLmqnmyS4QWj6PoSudReX1x1QO+o\n" + + "jlzzlWn15ozgeDtsyQWRQakSkV8IUlywmM99tH7jGejrH87eLYv0IoJONVJLMsuQ\n" + + "chMd/cm0OGwUHHuk7iRnMGlcskp3FPvHlBRgBLrg+40yksJMmpHyS9amrG2/3bSa\n" + + "ssuc3F8ICNtejYVXDg5rIHyKIvD8Jaozf+V8FyFcFkfL7NyIS8rSuHM40vp3jlVO\n" + + "yNDztZ9orTA9Frucxr6y5UIXHd/bmh7YsjihyCoPOwvkfEy/S08S245eKS1zwgcE\n" + + "zkSwPC+XR7HwXoVb63hgBlcJCkUAswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCC\n" + + "nWjpa+JeJj05UfX0tejdnHTotnT4AQfxp1YesG3O7ioIY4Y93/Cj8N+7rzeB392v\n" + + "eUMN2HKXGNRZhVJKs8fdoD/b5OxlwX1BattPS1Oh7HmLYzevOxotrm5YOR4KG2qa\n" + + "Rw/m6jFWxnAovpQTaCOgkuAJyF9l6wlQE4FyzyZMaThObcnLBzuQJjJXKMwaVT6D\n" + + "AQuMP3DRrH3aXlFpqV4bugLy8agSc2w9sF3w4osGZSwPjerJiulncUyBr+cjv1KB\n" + + "IfgzoP3b9frMBZmSpxeT3YzR1wZAh9AterRKAm6EGVxrnRDQ1b/OuW4y2RxQ/Q3G\n" + + "OUU/dbcjLaFvoQsv3aAk\n"; + + when(x509RsaCertification.generatePublicKey(cert)).thenReturn(publicKey); + when(x509RsaCertification.verify(content,signature, publicKey)).thenReturn(true); + + // when + RSACertificateValidator rsaCertificateValidator = new RSACertificateValidator(x509RsaCertification); + + // then + assertThat(rsaCertificateValidator.isValid(content, signature, publicCertificate)).isTrue(); + verify(x509RsaCertification,times(1)).generatePublicKey(cert); + verify(x509RsaCertification,times(1)).verify(content,signature, publicKey); + } + +} \ No newline at end of file diff --git a/csarvalidation/src/test/resources/pnf/signed-package.zip b/csarvalidation/src/test/resources/pnf/signed-package.zip new file mode 100644 index 0000000..e4b7d00 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/signed-package.zip differ -- cgit 1.2.3-korg