Make rule 130206 less restrictive
Signed-off-by: Aleksandra Maciaga <aleksandra.maciaga@nokia.com>
Issue-ID: VNFSDK-595
Change-Id: I39beb48d958b0589837f4d960ca7edded0e1e22e
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
index 74706c7..64eb878 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
@@ -50,6 +50,7 @@
private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class);
private static final String SHA_256 = "SHA-256";
private static final String SHA_512 = "SHA-512";
+ private static final String EMPTY_STRING = "";
private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator();
private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator();
@@ -118,6 +119,13 @@
}
}
+ public static class CSARWarningNoSecurity extends CSARArchive.CSARErrorWarning{
+ CSARWarningNoSecurity(){
+ super(EMPTY_STRING, EMPTY_STRING,-1, EMPTY_STRING);
+ this.message = "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file.";
+ }
+ }
+
@Override
protected void validateCSAR(CSARArchive csar) throws OnapCommandException {
@@ -138,20 +146,39 @@
private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException {
final CSARArchive.Manifest manifest = csar.getManifest();
+ validateEntryCertificate(csar, csarRootDirectory);
+ if(verifyThatCsarIsSecure(manifest)){
- validateSecurityStructure(csar, csarRootDirectory);
- validateSources(csarRootDirectory, manifest);
+ validateManifestCms(manifest);
+ validateSources(csarRootDirectory, manifest);
- final Map<String, Map<String, List<String>>> nonMano = manifest.getNonMano();
- final List<SourcesParser.Source> sources = manifest.getSources();
+ final Map<String, Map<String, List<String>>> nonMano = manifest.getNonMano();
+ final List<SourcesParser.Source> sources = manifest.getSources();
- validateNonManoCohesionWithSources(nonMano, sources);
+ validateNonManoCohesionWithSources(nonMano, sources);
- final File manifestMfFile = csar.getManifestMfFile();
- final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory);
- if (manifestMfFile != null) {
- validateFileSignature(manifestMfFile, absolutePathToEntryCertificate);
+ final File manifestMfFile = csar.getManifestMfFile();
+ final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory);
+ if (manifestMfFile != null) {
+ validateFileSignature(manifestMfFile, absolutePathToEntryCertificate);
+ }
+ }else{
+ this.errors.add(new CSARWarningNoSecurity());
}
+
+ }
+
+ private boolean verifyThatCsarIsSecure(CSARArchive.Manifest manifest) {
+ final List<SourcesParser.Source> sources = manifest.getSources();
+ final String cms = manifest.getCms();
+ final boolean containsHashOrAlgorithm = (sources.stream().anyMatch(
+ source ->
+ !source.getAlgorithm().equals(EMPTY_STRING) ||
+ !source.getHash().equals(EMPTY_STRING)
+ )
+ );
+ final boolean containsCms = cms != null && !cms.equals(EMPTY_STRING);
+ return containsCms || containsHashOrAlgorithm;
}
private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) {
@@ -188,15 +215,16 @@
}
}
- private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) {
- final CSARArchive.Manifest manifest = csar.getManifest();
+ private void validateEntryCertificate(CSARArchive csar, Path csarRootDirectory) {
final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta();
final String entryCertificateParamName = csar.getEntryCertificateParamName();
final Optional<File> entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory);
if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) {
this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName));
}
+ }
+ private void validateManifestCms(CSARArchive.Manifest manifest) {
if (manifest.getCms() == null || manifest.getCms().isEmpty()) {
this.errors.add(new CSARErrorUnableToFindCmsSection());
}
diff --git a/csarvalidation/src/main/resources/vnfreqs.properties b/csarvalidation/src/main/resources/vnfreqs.properties
index cbde364..a6d8d31 100644
--- a/csarvalidation/src/main/resources/vnfreqs.properties
+++ b/csarvalidation/src/main/resources/vnfreqs.properties
@@ -2,4 +2,4 @@
pnfreqs.enabled=r10087,r15837,r17852,r35854,r57019,r87234,r130206,r146092,r293901,r787965,r972082
# ignored all chef and ansible related tests
vnferrors.ignored=0x1005,0x1006,r07879-0x1000,r13390-0x1000,r27310-0x1000,r40293-0x1000,r77786-0x1000,r04298-0x1000,r07879-0x1000,r10087-0x1000,r13390-0x1000,r23823-0x1000,r26881-0x1000,r40820-0x1000,r35851-0x1000,r32155-0x1000,r54356-0x1000,r67895-0x1000,r95321-0x1000,r46527-0x1000,r02454-0x1000
-pnferrors.ignored=
+pnferrors.ignored=0x1006,r130206-0x1006
diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
index feabe7f..0147c90 100644
--- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
+++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
@@ -80,6 +80,22 @@
assertThat(errors.size()).isEqualTo(0);
}
+ @Test
+ public void shouldReportWarningForMissingCMSAndHashCodes() throws Exception{
+ // given
+ configureTestCase(testCase, "pnf/r130206/csar-option1-warning.csar", "vtp-validate-csar-r130206.yaml", IS_PNF);
+
+ // when
+ testCase.execute();
+
+ // then
+ List<CSARArchive.CSARError> errors = testCase.getErrors();
+ assertThat(errors.size()).isEqualTo(1);
+ assertThat(convertToMessagesList(errors)).contains(
+ "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file."
+ );
+ }
+
@Test
public void shouldReportThatOnlySignatureIsInvalid() throws Exception {
@@ -135,14 +151,14 @@
List<CSARArchive.CSARError> errors = testCase.getErrors();
assertThat(convertToMessagesList(errors)).contains(
"Unable to find cert file defined by Entry-Certificate!",
- "Unable to find CMS section in manifest!",
+ "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file.",
"Missing. Entry [tosca_definitions_version]"
);
}
@Test
- public void shouldReportThanInVnfPackageETSIFileIsMissingAndNoCertificateInCMS() throws Exception {
+ public void shouldReportThanInVnfPackageETSIFileIsMissing() throws Exception {
// given
configureTestCase(testCase, "pnf/r130206/csar-with-no-certificate.csar", "vtp-validate-csar-r130206.yaml", IS_PNF);
@@ -154,7 +170,7 @@
List<CSARArchive.CSARError> errors = testCase.getErrors();
assertThat(convertToMessagesList(errors)).contains(
"Unable to find cert file defined by ETSI-Entry-Certificate!",
- "Unable to find CMS section in manifest!"
+ "Warning. Consider adding security options (CMS and hash codes for sources) in manifest file."
);
}
diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar
new file mode 100644
index 0000000..d50d74a
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r130206/csar-option1-warning.csar
Binary files differ
diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar
index 624f8fe..998619a 100644
--- a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar
+++ b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar
Binary files differ