From b812f004656c053e5d0686820747f4845cd752c9 Mon Sep 17 00:00:00 2001 From: Aleksandra Maciaga Date: Tue, 30 Jun 2020 13:39:00 +0200 Subject: Make rule 130206 less restrictive Signed-off-by: Aleksandra Maciaga Issue-ID: VNFSDK-595 Change-Id: I39beb48d958b0589837f4d960ca7edded0e1e22e --- .../cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 50 ++++++++++++++++----- .../src/main/resources/vnfreqs.properties | 2 +- .../VTPValidateCSARR130206IntegrationTest.java | 22 +++++++-- .../pnf/r130206/csar-option1-warning.csar | Bin 0 -> 5646 bytes .../pnf/r130206/csar-with-no-certificate.csar | Bin 116706 -> 112666 bytes 5 files changed, 59 insertions(+), 15 deletions(-) create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar (limited to 'csarvalidation/src') diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index 74706c7..64eb878 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -50,6 +50,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class); private static final String SHA_256 = "SHA-256"; private static final String SHA_512 = "SHA-512"; + private static final String EMPTY_STRING = ""; private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator(); @@ -118,6 +119,13 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } } + public static class CSARWarningNoSecurity extends CSARArchive.CSARErrorWarning{ + CSARWarningNoSecurity(){ + super(EMPTY_STRING, EMPTY_STRING,-1, EMPTY_STRING); + this.message = "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file."; + } + } + @Override protected void validateCSAR(CSARArchive csar) throws OnapCommandException { @@ -138,20 +146,39 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException { final CSARArchive.Manifest manifest = csar.getManifest(); + validateEntryCertificate(csar, csarRootDirectory); + if(verifyThatCsarIsSecure(manifest)){ - validateSecurityStructure(csar, csarRootDirectory); - validateSources(csarRootDirectory, manifest); + validateManifestCms(manifest); + validateSources(csarRootDirectory, manifest); - final Map>> nonMano = manifest.getNonMano(); - final List sources = manifest.getSources(); + final Map>> nonMano = manifest.getNonMano(); + final List sources = manifest.getSources(); - validateNonManoCohesionWithSources(nonMano, sources); + validateNonManoCohesionWithSources(nonMano, sources); - final File manifestMfFile = csar.getManifestMfFile(); - final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory); - if (manifestMfFile != null) { - validateFileSignature(manifestMfFile, absolutePathToEntryCertificate); + final File manifestMfFile = csar.getManifestMfFile(); + final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory); + if (manifestMfFile != null) { + validateFileSignature(manifestMfFile, absolutePathToEntryCertificate); + } + }else{ + this.errors.add(new CSARWarningNoSecurity()); } + + } + + private boolean verifyThatCsarIsSecure(CSARArchive.Manifest manifest) { + final List sources = manifest.getSources(); + final String cms = manifest.getCms(); + final boolean containsHashOrAlgorithm = (sources.stream().anyMatch( + source -> + !source.getAlgorithm().equals(EMPTY_STRING) || + !source.getHash().equals(EMPTY_STRING) + ) + ); + final boolean containsCms = cms != null && !cms.equals(EMPTY_STRING); + return containsCms || containsHashOrAlgorithm; } private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) { @@ -188,15 +215,16 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } } - private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) { - final CSARArchive.Manifest manifest = csar.getManifest(); + private void validateEntryCertificate(CSARArchive csar, Path csarRootDirectory) { final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); final String entryCertificateParamName = csar.getEntryCertificateParamName(); final Optional entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) { this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName)); } + } + private void validateManifestCms(CSARArchive.Manifest manifest) { if (manifest.getCms() == null || manifest.getCms().isEmpty()) { this.errors.add(new CSARErrorUnableToFindCmsSection()); } diff --git a/csarvalidation/src/main/resources/vnfreqs.properties b/csarvalidation/src/main/resources/vnfreqs.properties index cbde364..a6d8d31 100644 --- a/csarvalidation/src/main/resources/vnfreqs.properties +++ b/csarvalidation/src/main/resources/vnfreqs.properties @@ -2,4 +2,4 @@ vnfreqs.enabled=r01123,r02454,r04298,r07879,r09467,r10087,r13390,r15837,r17852,r pnfreqs.enabled=r10087,r15837,r17852,r35854,r57019,r87234,r130206,r146092,r293901,r787965,r972082 # ignored all chef and ansible related tests vnferrors.ignored=0x1005,0x1006,r07879-0x1000,r13390-0x1000,r27310-0x1000,r40293-0x1000,r77786-0x1000,r04298-0x1000,r07879-0x1000,r10087-0x1000,r13390-0x1000,r23823-0x1000,r26881-0x1000,r40820-0x1000,r35851-0x1000,r32155-0x1000,r54356-0x1000,r67895-0x1000,r95321-0x1000,r46527-0x1000,r02454-0x1000 -pnferrors.ignored= +pnferrors.ignored=0x1006,r130206-0x1006 diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java index feabe7f..0147c90 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java @@ -80,6 +80,22 @@ public class VTPValidateCSARR130206IntegrationTest { assertThat(errors.size()).isEqualTo(0); } + @Test + public void shouldReportWarningForMissingCMSAndHashCodes() throws Exception{ + // given + configureTestCase(testCase, "pnf/r130206/csar-option1-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file." + ); + } + @Test public void shouldReportThatOnlySignatureIsInvalid() throws Exception { @@ -135,14 +151,14 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(convertToMessagesList(errors)).contains( "Unable to find cert file defined by Entry-Certificate!", - "Unable to find CMS section in manifest!", + "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file.", "Missing. Entry [tosca_definitions_version]" ); } @Test - public void shouldReportThanInVnfPackageETSIFileIsMissingAndNoCertificateInCMS() throws Exception { + public void shouldReportThanInVnfPackageETSIFileIsMissing() throws Exception { // given configureTestCase(testCase, "pnf/r130206/csar-with-no-certificate.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); @@ -154,7 +170,7 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(convertToMessagesList(errors)).contains( "Unable to find cert file defined by ETSI-Entry-Certificate!", - "Unable to find CMS section in manifest!" + "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file." ); } diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar new file mode 100644 index 0000000..d50d74a Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar index 624f8fe..998619a 100644 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar and b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar differ -- cgit 1.2.3-korg