Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.
/ NuGet.Jobs Public archive

Commit

Permalink
Merge pull request #416 from NuGet/dev
Browse files Browse the repository at this point in the history 
[ReleasePrep][2018.05.02]RI of dev into master
  • Loading branch information
@dtivel
dtivel authored May 2, 2018
2 parents 88e57ec + 8d6d375 commit 0a481b3
Show file tree
Hide file tree
Showing 10 changed files with 454 additions and 92 deletions.
2 changes: 1 addition & 1 deletion src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@
</ItemGroup>
<ItemGroup>
<PackageReference Include="NuGet.Services.Validation.Issues">
<Version>2.23.0</Version>
<Version>2.25.0-master-30191</Version>
</PackageReference>
</ItemGroup>
<ItemGroup>
Expand Down
4 changes: 2 additions & 2 deletions src/Validation.Common.Job/Validation.Common.Job.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,10 @@
<Version>2.23.0</Version>
</PackageReference>
<PackageReference Include="NuGet.Services.Validation">
<Version>2.23.0</Version>
<Version>2.25.0-master-29664</Version>
</PackageReference>
<PackageReference Include="NuGetGallery.Core">
<Version>4.4.4-dev-26726</Version>
<Version>4.4.4-dev-29942</Version>
</PackageReference>
<PackageReference Include="Serilog">
<Version>2.5.0</Version>
Expand Down
4 changes: 2 additions & 2 deletions src/Validation.Common.Job/Validation.Common.Job.nuspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@
<dependency id="NuGet.Services.Configuration" version="2.23.0" />
<dependency id="NuGet.Services.Logging" version="2.23.0" />
<dependency id="NuGet.Services.Storage" version="2.23.0" />
<dependency id="NuGet.Services.Validation" version="2.23.0" />
<dependency id="NuGetGallery.Core" version="4.4.4-dev-26726" />
<dependency id="NuGet.Services.Validation" version="2.25.0-master-29664" />
<dependency id="NuGetGallery.Core" version="4.4.4-dev-29942" />
<dependency id="Serilog" version="2.5.0" />
<dependency id="System.Net.Http" version="4.3.3" />
</dependencies>
Expand Down
11 changes: 8 additions & 3 deletions src/Validation.PackageSigning.ProcessSignature/Job.cs
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using Autofac;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.WindowsAzure.Storage;
using NuGet.Jobs.Configuration;
using NuGet.Jobs.Validation.PackageSigning.Configuration;
using NuGet.Jobs.Validation.PackageSigning.Messages;
using NuGet.Jobs.Validation.PackageSigning.Storage;
Expand All @@ -30,7 +30,12 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi

services.AddTransient<ISubscriptionProcessor<SignatureValidationMessage>, SubscriptionProcessor<SignatureValidationMessage>>();

services.AddTransient<IEntityRepository<Certificate>, EntityRepository<Certificate>>();
services.AddScoped<IEntitiesContext>(serviceProvider =>
new EntitiesContext(
serviceProvider.GetRequiredService<IOptionsSnapshot<GalleryDbConfiguration>>().Value.ConnectionString,
readOnly: false));
services.Add(ServiceDescriptor.Transient(typeof(IEntityRepository<>), typeof(EntityRepository<>)));
services.AddTransient<ICorePackageService, CorePackageService>();

services.AddTransient<ITelemetryService, TelemetryService>();

Expand Down Expand Up @@ -61,7 +66,7 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
PackageSignatureVerifierFactory.CreateFull(),
p.GetRequiredService<ISignaturePartsExtractor>(),
p.GetRequiredService<IProcessorPackageFileService>(),
p.GetRequiredService<IEntityRepository<Certificate>>(),
p.GetRequiredService<ICorePackageService>(),
p.GetRequiredService<ITelemetryService>(),
p.GetRequiredService<ILogger<SignatureValidator>>()));
}
Expand Down
54 changes: 35 additions & 19 deletions src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
using NuGet.Services.Validation;
using NuGet.Services.Validation.Issues;
using NuGetGallery;
using NuGetGallery.Extensions;

namespace NuGet.Jobs.Validation.PackageSigning.ProcessSignature
{
Expand All @@ -32,7 +33,7 @@ public class SignatureValidator : ISignatureValidator
private readonly IPackageSignatureVerifier _fullPackageSignatureVerifier;
private readonly ISignaturePartsExtractor _signaturePartsExtractor;
private readonly IProcessorPackageFileService _packageFileService;
private readonly IEntityRepository<Certificate> _certificates;
private readonly ICorePackageService _corePackageService;
private readonly ITelemetryService _telemetryService;
private readonly ILogger<SignatureValidator> _logger;

Expand All @@ -42,7 +43,7 @@ public SignatureValidator(
IPackageSignatureVerifier fullPackageSignatureVerifier,
ISignaturePartsExtractor signaturePartsExtractor,
IProcessorPackageFileService packageFileService,
IEntityRepository<Certificate> certificates,
ICorePackageService corePackageService,
ITelemetryService telemetryService,
ILogger<SignatureValidator> logger)
{
Expand All @@ -51,7 +52,7 @@ public SignatureValidator(
_fullPackageSignatureVerifier = fullPackageSignatureVerifier ?? throw new ArgumentNullException(nameof(fullPackageSignatureVerifier));
_signaturePartsExtractor = signaturePartsExtractor ?? throw new ArgumentNullException(nameof(signaturePartsExtractor));
_packageFileService = packageFileService ?? throw new ArgumentNullException(nameof(packageFileService));
_certificates = certificates ?? throw new ArgumentNullException(nameof(certificates));
_corePackageService = corePackageService ?? throw new ArgumentNullException(nameof(corePackageService));
_telemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
Expand All @@ -71,20 +72,30 @@ public async Task<SignatureValidatorResult> ValidateAsync(
return await RejectAsync(context, ValidationIssue.PackageIsZip64);
}

// Validate signed packages and accept unsigned packages.
if (await context.PackageReader.IsSignedAsync(cancellationToken))
{
return await HandleSignedPackageAsync(context);
}
else
{
return await HandleUnsignedPackageAsync(context);
}

return await HandleUnsignedPackageAsync(context);
}
}

private async Task<SignatureValidatorResult> HandleUnsignedPackageAsync(Context context)
{
var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);

if (packageRegistration.IsSigningRequired())
{
_logger.LogWarning(
"Package {PackageId} {PackageVersion} for validation {ValidationId} must be signed but is unsigned.",
context.Message.PackageId,
context.Message.PackageVersion,
context.Message.ValidationId);

return await RejectAsync(context, ValidationIssue.PackageIsNotSigned);
}

_logger.LogInformation(
"Package {PackageId} {PackageVersion} is unsigned, no additional validations necessary for {ValidationId}.",
context.Message.PackageId,
Expand Down Expand Up @@ -178,7 +189,7 @@ private async Task<SignatureValidatorResult> PerformInitialValidationsAsync(Cont

// We now know we can safely read the signature.
context.Signature = await context.PackageReader.GetPrimarySignatureAsync(context.CancellationToken);

// Only reject counter signatures that have the author commitment type. Repository counter signatures
// are removed and replaced if they are invalid and valid ones are left as-is. Counter signatures
// without author or repository signature commitment type are not produced by the client but
Expand Down Expand Up @@ -319,16 +330,16 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
}

// Block packages with any unknown signing certificates.
var signingFingerprint = context.Signature
var signingCertificate = context.Signature
.SignerInfo
.Certificate
.ComputeSHA256Thumbprint();
var isKnownCertificate = _certificates
.GetAll()
.Any(c => signingFingerprint == c.Thumbprint);
if (!isKnownCertificate)
.Certificate;
var signingFingerprint = signingCertificate.ComputeSHA256Thumbprint();

var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);

if (!packageRegistration.IsAcceptableSigningCertificate(signingFingerprint))
{
_logger.LogInformation(
_logger.LogWarning(
"Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has an unknown certificate fingerprint: {UnknownFingerprint}",
context.Message.PackageId,
context.Message.PackageVersion,
Expand All @@ -337,7 +348,7 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context

return await RejectAsync(
context,
ValidationIssue.PackageIsSigned);
new UnauthorizedCertificateFailure(signingCertificate.Thumbprint.ToLowerInvariant()));
}

// Call the "verify" API, which does the main logic of signature validation.
Expand All @@ -357,6 +368,11 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
context.Message.ValidationId,
signingFingerprint);

await _corePackageService.UpdatePackageSigningCertificateAsync(
context.Message.PackageId,
context.Message.PackageVersion,
signingFingerprint);

return null;
}

Expand Down
Loading

0 comments on commit 0a481b3

Please sign in to comment.