From 6767596c5b15b75a3f1ae43e169aa88e0de56c3a Mon Sep 17 00:00:00 2001 From: Bartosz Gardziejewski Date: Thu, 17 Sep 2020 14:46:47 +0200 Subject: Fixing R130206 certificate searching mechanism Issue-ID: VNFSDK-595 Signed-off-by: Bartosz Gardziejewski Change-Id: I8dacd924b16812378356b05291229f2097dfcbe1 --- .../java/org/onap/cvc/csar/CsarValidatorTest.java | 48 +-- .../VTPValidateCSARR130206IntegrationTest.java | 329 +++++++++++++++++++-- ...t-in-cms-and-root-and-tosca-incorrect-hash.csar | Bin 0 -> 21667 bytes ...t-in-cms-and-root-and-tosca-incorrect-hash.csar | Bin 0 -> 8320 bytes .../csar-cert-in-cms-and-root-and-tosca.csar | Bin 0 -> 8317 bytes .../csar-cert-in-cms-and-root-incorrect-hash.csar | Bin 0 -> 7275 bytes .../pnf/r130206/csar-cert-in-cms-and-root.csar | Bin 0 -> 7271 bytes .../csar-cert-in-cms-and-tosca-incorrect-hash.csar | Bin 0 -> 7318 bytes .../pnf/r130206/csar-cert-in-cms-and-tosca.csar | Bin 0 -> 7290 bytes .../r130206/csar-cert-in-cms-incorrect-hash.csar | Bin 0 -> 6247 bytes .../pnf/r130206/csar-cert-in-cms-valid.csar | Bin 0 -> 25585 bytes .../resources/pnf/r130206/csar-cert-in-cms.csar | Bin 0 -> 6244 bytes ...csar-cert-in-root-and-tosca-incorrect-hash.csar | Bin 0 -> 7563 bytes .../pnf/r130206/csar-cert-in-root-and-tosca.csar | Bin 0 -> 7564 bytes .../r130206/csar-cert-in-root-incorrect-hash.csar | Bin 0 -> 6521 bytes .../csar-cert-in-root-pointed-by-tosca.csar | Bin 0 -> 6529 bytes .../pnf/r130206/csar-cert-in-root-valid.csar | Bin 0 -> 25868 bytes .../resources/pnf/r130206/csar-cert-in-root.csar | Bin 0 -> 6518 bytes .../r130206/csar-cert-in-tosca-incorrect-hash.csar | Bin 0 -> 6564 bytes .../pnf/r130206/csar-cert-in-tosca-no-cms.csar | Bin 0 -> 5865 bytes .../pnf/r130206/csar-cert-in-tosca-valid.csar | Bin 0 -> 25927 bytes .../resources/pnf/r130206/csar-cert-in-tosca.csar | Bin 0 -> 6561 bytes .../pnf/r130206/csar-no-cms-no-cert-with-hash.csar | Bin 0 -> 4795 bytes .../pnf/r130206/csar-not-secure-warning.csar | Bin 0 -> 4576 bytes .../pnf/r130206/csar-option1-invalid.csar | Bin 5743 -> 0 bytes .../resources/pnf/r130206/csar-option1-valid.csar | Bin 7530 -> 0 bytes .../pnf/r130206/csar-option1-validSection.csar | Bin 6170 -> 0 bytes .../pnf/r130206/csar-option1-warning-2.csar | Bin 8624 -> 0 bytes .../pnf/r130206/csar-option1-warning.csar | Bin 5646 -> 0 bytes .../csar-with-etsi-cert-without-cert-in-cms.csar | Bin 116773 -> 0 bytes .../pnf/r130206/csar-with-no-certificate.csar | Bin 112666 -> 0 bytes ...with-tosca-cert-pointing-non-existing-cert.csar | Bin 0 -> 114649 bytes .../src/test/resources/pnf/validFile.csar | Bin 0 -> 18069 bytes 33 files changed, 324 insertions(+), 53 deletions(-) create mode 100644 csarvalidation/src/test/resources/pnf/r130206/cert-in-cms-and-root-and-tosca-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-valid.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-no-cms.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-valid.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-no-cms-no-cert-with-hash.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-not-secure-warning.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-invalid.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-valid.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-validSection.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning-2.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar create mode 100644 csarvalidation/src/test/resources/pnf/validFile.csar (limited to 'csarvalidation/src/test') diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java index 299aff2..491b20a 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/CsarValidatorTest.java @@ -35,79 +35,83 @@ import static org.onap.cvc.csar.cc.sol004.IntegrationTestUtils.absoluteFilePath; public class CsarValidatorTest { - private static final String NO_CERTIFICATE_RULE = "r130206"; + private static final String CERTIFICATION_RULE = "r130206"; private static final String OPERATION_STATUS_FAILED = "FAILED"; + private static final String OPERATION_STATUS_PASS = "PASS"; @Test - public void shouldReportErrorAsWarningWhenErrorIsIgnored() throws URISyntaxException { + public void shouldReportThanVnfValidationFailed() throws URISyntaxException { // given OnapCliWrapper cli = new OnapCliWrapper(new String[]{ "--product", "onap-dublin", "csar-validate", "--format", "json", - "--pnf", - "--csar", absoluteFilePath("pnf/r130206/csar-option1-warning-2.csar")}); + "--csar", absoluteFilePath("VoLTE.csar")}); // when cli.handle(); // then final OnapCommandResult onapCommandResult = cli.getCommandResult(); - assertTrue(onapCommandResult.getOutput().toString().contains( - "\"warnings\":[{\"vnfreqNo\":\"R130206\",\"code\":\"0x1006\",\"message\":\"Warning. Consider adding package " - + "integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1\",\"file\":\"\",\"lineNumber\":-1}]}")); + verifyThatOperation(onapCommandResult, OPERATION_STATUS_FAILED); + verifyThatXRulesFails(onapCommandResult, 7); + verifyThatOperationFinishedWithoutAnyError(cli); } + @Test - public void shouldReportThanVnfValidationFailed() throws URISyntaxException { + public void shouldReportOnlyWarningWhenCsarDoNotHaveCertificateAndHashesInManifest() throws URISyntaxException { // given OnapCliWrapper cli = new OnapCliWrapper(new String[]{ "--product", "onap-dublin", "csar-validate", "--format", "json", - "--csar", absoluteFilePath("VoLTE.csar")}); - + "--pnf", + "--csar", absoluteFilePath("pnf/validFile.csar")}); // when cli.handle(); // then final OnapCommandResult onapCommandResult = cli.getCommandResult(); - verifyThatOperation(onapCommandResult, OPERATION_STATUS_FAILED); - verifyThatXRulesFails(onapCommandResult, 7); + verifyThatOperation(onapCommandResult, OPERATION_STATUS_PASS); + assertTrue(onapCommandResult.getOutput().toString().contains( + "\"warnings\":[{" + + "\"vnfreqNo\":\"R130206\"," + + "\"code\":\"0x1006\"," + + "\"message\":\"Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1\"," + + "\"file\":\"\"," + + "\"lineNumber\":-1}]")); verifyThatOperationFinishedWithoutAnyError(cli); } - @Test - public void shouldReportThatPnfValidationFailedWhenCsarDoNotHaveCertificate_allOtherRulesShouldPass() throws URISyntaxException { + public void shouldNotReportThatPnfValidationFailedWhenZipDoNotHaveCertificatesAndHashesInManifest() throws URISyntaxException { // given OnapCliWrapper cli = new OnapCliWrapper(new String[]{ "--product", "onap-dublin", "csar-validate", "--format", "json", "--pnf", - "--csar", absoluteFilePath("pnf/r972082/validFile.csar")}); + "--csar", absoluteFilePath("pnf/signed-package-valid-signature.zip")}); + // when cli.handle(); // then final OnapCommandResult onapCommandResult = cli.getCommandResult(); - verifyThatOperation(onapCommandResult, OPERATION_STATUS_FAILED); - verifyThatXRulesFails(onapCommandResult, 1); - verifyThatRuleFails(onapCommandResult, NO_CERTIFICATE_RULE); + verifyThatOperation(onapCommandResult, OPERATION_STATUS_PASS); verifyThatOperationFinishedWithoutAnyError(cli); } @Test - public void shouldReportThatPnfValidationFailedWhenZipDoNotHaveCertificate_allOtherRulesShouldPass() throws URISyntaxException { + public void shouldReportThatPnfValidationFailedWhenCsarContainsCertificateInCmsAndInToscaAndInRootAndHashIsIncorrect_allOtherRulesShouldPass() throws URISyntaxException { // given OnapCliWrapper cli = new OnapCliWrapper(new String[]{ "--product", "onap-dublin", "csar-validate", "--format", "json", "--pnf", - "--csar", absoluteFilePath("pnf/signed-package-valid-signature.zip")}); - + "--csar", absoluteFilePath("pnf/r130206/cert-in-cms-and-root-and-tosca-incorrect-hash.csar")}); // when cli.handle(); @@ -115,7 +119,7 @@ public class CsarValidatorTest { final OnapCommandResult onapCommandResult = cli.getCommandResult(); verifyThatOperation(onapCommandResult, OPERATION_STATUS_FAILED); verifyThatXRulesFails(onapCommandResult, 1); - verifyThatRuleFails(onapCommandResult, NO_CERTIFICATE_RULE); + verifyThatRuleFails(onapCommandResult, CERTIFICATION_RULE); verifyThatOperationFinishedWithoutAnyError(cli); } diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java index 3eed6c6..cdaef79 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java @@ -49,10 +49,10 @@ public class VTPValidateCSARR130206IntegrationTest { "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + "Use instructions for option 1. Test was created for manual verification." ) - public void manual_shouldValidateProperCsar() throws Exception { + public void manual_shouldValidateProperCsarWithCms() throws Exception { // given - configureTestCase(testCase, "pnf/r130206/csar-option1-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -64,13 +64,31 @@ public class VTPValidateCSARR130206IntegrationTest { @Test @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." + - "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + - "Use instructions for option 1. Test was created for manual verification." + "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + + "Use instructions for option 1. Test was created for manual verification." + ) + public void manual_shouldValidateCsarWithCertificateInToscaEtsiWithValidSignature() throws Exception { + + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isZero(); + } + + @Test + @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." + + "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + + "Use instructions for option 1. Test was created for manual verification." ) - public void manual_shouldValidateCsarWithCertificateInEtsiAndMissingInCMS() throws Exception { + public void manual_shouldValidateCsarWithCertificateInRootWithValidSignature() throws Exception { // given - configureTestCase(testCase, "pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -81,9 +99,10 @@ public class VTPValidateCSARR130206IntegrationTest { } @Test - public void shouldReportWarningForMissingCMSAndHashCodes() throws Exception{ + public void shouldReportWarningForMissingCertInCmsToscaMetaAndRootCatalogAndMissingHashCodesInManifest() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-not-secure-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -92,16 +111,102 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(1); assertThat(convertToMessagesList(errors)).contains( - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" + "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" ); } + @Test + public void shouldReturnNoErrorWhenCertIsOnlyInCmsAndAlgorithmAndHashesAreCorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } @Test - public void shouldReportThatOnlySignatureIsInvalid() throws Exception { + public void shouldReturnNoErrorWhenCertIsOnlyInToscaAndAlgorithmAndHashesAreCorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnNoErrorWhenCertIsOnlyInRootDirectoryAndAlgorithmAndHashesAreCorrect() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-validSection.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInCmsHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Source 'Artifacts/Other/my_script.csh' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInToscaHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Source 'Artifacts/Deployment/Measurements/PM_Dictionary.yml' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertIsOnlyInRootDirectoryHoweverHashesAreIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -110,70 +215,232 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(2); assertThat(convertToMessagesList(errors)).contains( - "File has invalid CMS signature!", - "Mismatch between contents of non-mano-artifact-sets and source files of the package" + "Source 'Artifacts/Deployment/Events/RadioNode_Pnf_v1.yaml' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenToscaEtsiEntryCertificatePointToNotExistingFile() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cert file defined by ETSI-Entry-Certificate!", + "Invalid value. Entry [Entry-Certificate]. Artifacts/sample-pnf.cert does not exist" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInTosca() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "File has invalid signature!" ); } @Test - public void shouldReportErrorsForInvalidCsar() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(4); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndInRootDirectory() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-option1-invalid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); - assertThat(errors.size()).isEqualTo(6); + assertThat(errors.size()).isEqualTo(4); assertThat(convertToMessagesList(errors)).contains( - "Unable to find CMS section in manifest!", - "Source 'Definitions/MainServiceTemplate.yaml' has wrong hash!", - "Source 'Artifacts/Other/my_script.csh' has hash, but unable to find algorithm tag!", - "Unable to calculate digest - file missing: Artifacts/NonExisting2.txt", - "Mismatch between contents of non-mano-artifact-sets and source files of the package", - "File has invalid CMS signature!" + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Certificate present in root catalog despite the certificate is included in the signature container", + "File has invalid signature!" ); } @Test - public void shouldReportThanInVnfPackageCertFileWasNotDefined() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInToscaAndInRootDirectoryAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(5); + assertThat(convertToMessagesList(errors)).contains( + "ETSI-Entry-Certificate entry in Tosca.meta is defined despite the certificate is included in the signature container", + "ETSI-Entry-Certificate certificate present despite the certificate is included in the signature container", + "Certificate present in root catalog despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInRootDirectory() + throws Exception{ // given - configureTestCase(testCase, "sample2.csar", "vtp-validate-csar-r130206.yaml", false); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); assertThat(convertToMessagesList(errors)).contains( - "Unable to find cert file defined by Entry-Certificate!", - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1", - "Missing. Entry [tosca_definitions_version]" + "Certificate present in root catalog despite the certificate is included in the signature container", + "File has invalid signature!" ); } + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInCmsAndInRootDirectoryAndHashIsIncorrect() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in the signature container", + "Source 'Artifacts/Informational/user_guide.txt' has wrong hash!", + "File has invalid signature!" + ); + } @Test - public void shouldReportThanInVnfPackageETSIFileIsMissing() throws Exception { + public void shouldReturnErrorWhenCertificateIsLocatedInToscaAndInRootDirectory() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-and-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(2); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInToscaAndInRootDirectoryAdnHashIsIncorrect() + throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-with-no-certificate.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); // then List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(3); + assertThat(convertToMessagesList(errors)).contains( + "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "Source 'Artifacts/Deployment/Yang_module/yang-module1.yang' has wrong hash!", + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnNoErrorWhenCertificateIsLocatedInToscaAndInRootDirectoryHoweverEtsiEntryIsPointingCertificateInRoot() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); assertThat(convertToMessagesList(errors)).contains( - "Unable to find cert file defined by ETSI-Entry-Certificate!", - "Warning. Consider adding package integrity and authenticity assurance according to ETSI NFV-SOL 004 Security Option 1" + "File has invalid signature!" + ); + } + + @Test + public void shouldReturnErrorWhenCertificateIsLocatedInToscaHoweverManifestDoesNotContainsCms() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-cert-in-tosca-no-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cms signature!" ); } + @Test + public void shouldReturnErrorWhenCsarDoesNotContainsCmsAndCertsHoweverManifestContainsHash() + throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-no-cms-no-cert-with-hash.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Unable to find cms signature!" + ); + } } diff --git a/csarvalidation/src/test/resources/pnf/r130206/cert-in-cms-and-root-and-tosca-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/cert-in-cms-and-root-and-tosca-incorrect-hash.csar new file mode 100644 index 0000000..bf19010 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/cert-in-cms-and-root-and-tosca-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar new file mode 100644 index 0000000..c8a4c39 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar new file mode 100644 index 0000000..b47f565 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-and-tosca.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar new file mode 100644 index 0000000..392d41e Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root.csar new file mode 100644 index 0000000..f9112c7 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-root.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar new file mode 100644 index 0000000..f331233 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca.csar new file mode 100644 index 0000000..0854291 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-and-tosca.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-incorrect-hash.csar new file mode 100644 index 0000000..12c90a2 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-valid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-valid.csar new file mode 100644 index 0000000..ece4064 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms-valid.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms.csar new file mode 100644 index 0000000..5ddbe1a Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-cms.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar new file mode 100644 index 0000000..be19521 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca.csar new file mode 100644 index 0000000..e4dbef9 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-and-tosca.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-incorrect-hash.csar new file mode 100644 index 0000000..b926aac Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar new file mode 100644 index 0000000..0d9c3f3 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-pointed-by-tosca.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar new file mode 100644 index 0000000..70885d8 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar new file mode 100644 index 0000000..d5d8f94 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar new file mode 100644 index 0000000..9b651d0 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-incorrect-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-no-cms.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-no-cms.csar new file mode 100644 index 0000000..fe34a61 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-no-cms.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-valid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-valid.csar new file mode 100644 index 0000000..3446aaf Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca-valid.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca.csar new file mode 100644 index 0000000..c4168dc Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-tosca.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-no-cms-no-cert-with-hash.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-no-cms-no-cert-with-hash.csar new file mode 100644 index 0000000..826425e Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-no-cms-no-cert-with-hash.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-not-secure-warning.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-not-secure-warning.csar new file mode 100644 index 0000000..6520a61 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-not-secure-warning.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-invalid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-invalid.csar deleted file mode 100644 index 187c008..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-invalid.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-valid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-valid.csar deleted file mode 100644 index 08c3605..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-valid.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-validSection.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-validSection.csar deleted file mode 100644 index bc90a75..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-validSection.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning-2.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning-2.csar deleted file mode 100644 index 748efbb..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning-2.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar deleted file mode 100644 index d50d74a..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar deleted file mode 100644 index d359994..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar deleted file mode 100644 index 998619a..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar new file mode 100644 index 0000000..b392fac Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-cert-pointing-non-existing-cert.csar differ diff --git a/csarvalidation/src/test/resources/pnf/validFile.csar b/csarvalidation/src/test/resources/pnf/validFile.csar new file mode 100644 index 0000000..11d1945 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/validFile.csar differ -- cgit 1.2.3-korg