This repository was archived by the owner on Mar 31, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathPackageCertificateToCsvDriver.cs
More file actions
282 lines (251 loc) · 11.8 KB
/
PackageCertificateToCsvDriver.cs
File metadata and controls
282 lines (251 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using MessagePack;
using NuGet.Insights.ReferenceTracking;
using Validation.PackageSigning.ValidateCertificate;
namespace NuGet.Insights.Worker.PackageCertificateToCsv
{
/// <summary>
/// This driver discovers and records the following fundamental package to certificate relationships:
///
/// - "package PRIMARY-SIGNED-CMS-CONTAINS certificate"
/// The certificate is in the primary signature's signed CMS. This typically has the certificates of both the
/// repository and author code signing certificate chains. Most often this is 3 for the repository signature
/// and 3 more (6 total) if there is an author signature.
///
/// - "package AUTHOR-TIMESTAMP-SIGNED-CMS-CONTAINS certificate"
/// The certificate is in the author timestamp's signed CMS. Most often this is 3 certificates.
///
/// - "package REPOSITORY-TIMESTAMP-SIGNED-CMS-CONTAINS certificate"
/// The certificate is in the repository timestamp's signed CMS. Most often this is 3 certificates.
///
/// - "package IS-AUTHOR-CODE-SIGNED-BY certificate"
/// The certificate is the end certificate for the author code signature.
///
/// - "package IS-REPOSITORY-CODE-SIGNED-BY certificate"
/// The certificate is the end certificate for the repository code signature.
///
/// - "package IS-AUTHOR-TIMESTAMPED-BY certificate"
/// The certificate is the end certificate for the author timestamp.
///
/// - "package IS-REPOSITORY-TIMESTAMPED-BY certificate"
/// The certificate is the end certificate for the repository timestamp.
///
/// This driver also discovers the following certificate to certificate relationship:
///
/// - "certificate IS-ISSUED-BY certificate"
///
/// For easy of querying and denormalization purposes, this driver implies the following additional package to
/// certificate relationships from the aforementioned relationships.
///
/// - "package AUTHOR-CODE-SIGNING-CHAIN-CONTAINS certificate"
/// - "package AUTHOR-TIMESTAMPING-CHAIN-CONTAINS certificate"
/// - "package REPOSITORY-CODE-SIGNING-CHAIN-CONTAINS certificate"
/// - "package REPOSITORY-TIMESTAMPING-CHAIN-CONTAINS certificate"
///
/// Finally, this driver extracts interesting metadata about individual certificates.
/// </summary>
public class PackageCertificateToCsvDriver :
ICatalogLeafToCsvBatchDriver<PackageCertificateRecord, CertificateRecord>,
ICsvResultStorage<PackageCertificateRecord>,
ICsvResultStorage<CertificateRecord>
{
private readonly ContainerInitializationState _initializationState;
private readonly CatalogClient _catalogClient;
private readonly PackageFileService _packageFileService;
private readonly ReferenceTracker _referenceTracker;
private readonly ICertificateVerifier _verifier;
private readonly IOptions<NuGetInsightsWorkerSettings> _options;
private readonly ILogger<PackageCertificateToCsvDriver> _logger;
public PackageCertificateToCsvDriver(
CatalogClient catalogClient,
PackageFileService packageFileService,
ReferenceTracker referenceTracker,
ICertificateVerifier verifier,
IOptions<NuGetInsightsWorkerSettings> options,
ILogger<PackageCertificateToCsvDriver> logger)
{
_initializationState = ContainerInitializationState.New(InitializeInternalAsync, DestroyInternalAsync);
_catalogClient = catalogClient;
_packageFileService = packageFileService;
_referenceTracker = referenceTracker;
_verifier = verifier;
_options = options;
_logger = logger;
}
public async Task InitializeAsync()
{
await _initializationState.InitializeAsync();
}
public async Task DestroyAsync()
{
await _initializationState.DestroyAsync();
}
private async Task InitializeInternalAsync()
{
await Task.WhenAll(
_packageFileService.InitializeAsync(),
_referenceTracker.InitializeAsync(
_options.Value.PackageToCertificateTableName,
_options.Value.CertificateToPackageTableName));
}
private async Task DestroyInternalAsync()
{
await _referenceTracker.DestroyAsync(
_options.Value.PackageToCertificateTableName,
_options.Value.CertificateToPackageTableName);
}
public bool SingleMessagePerId => false;
string ICsvResultStorage<PackageCertificateRecord>.ResultContainerName => _options.Value.PackageCertificateContainerName;
string ICsvResultStorage<CertificateRecord>.ResultContainerName => _options.Value.CertificateContainerName;
public async Task<BatchMessageProcessorResult<CsvRecordSets<PackageCertificateRecord, CertificateRecord>, CatalogLeafScan>>
ProcessLeavesAsync(IReadOnlyList<CatalogLeafScan> leafScans)
{
var failed = new List<CatalogLeafScan>();
var builder = new CertificateDataBuilder(_verifier, _logger);
var packageCertificates = new List<PackageCertificateRecord>();
foreach (var group in leafScans.GroupBy(x => x.PackageId, StringComparer.OrdinalIgnoreCase))
{
var packageId = group.Key.ToLowerInvariant();
var leafItems = group.Cast<CatalogLeafScan>().ToList();
try
{
packageCertificates.AddRange(await ProcessPackageIdAsync(builder, packageId, leafItems));
}
catch (Exception ex) when (leafScans.Count != 1)
{
_logger.LogError(ex, "Loading package certificate info failed for {Id} with {Count} versions.", group.Key, leafItems.Count);
failed.AddRange(group);
}
}
var certificates = GetCertificateRecords(builder);
return new BatchMessageProcessorResult<CsvRecordSets<PackageCertificateRecord, CertificateRecord>, CatalogLeafScan>(
new CsvRecordSets<PackageCertificateRecord, CertificateRecord>(
packageCertificates,
certificates),
failed);
}
private async Task<List<PackageCertificateRecord>> ProcessPackageIdAsync(
CertificateDataBuilder builder,
string packageId,
IReadOnlyList<CatalogLeafScan> leafItems)
{
// Clear package state from a previous iteration, but leave certificate validation results.
builder.ClearPackages();
await PopulateCertificatesAsync(builder, packageId, leafItems);
await WriteReferencesAsync(builder, packageId);
return await GetPackageCertificateRecordsAsync(builder, packageId, leafItems);
}
private async Task PopulateCertificatesAsync(
CertificateDataBuilder builder,
string packageId,
IReadOnlyList<CatalogLeafScan> leafItems)
{
foreach (var item in leafItems)
{
var packageIdentity = GetIdentity(packageId, item);
if (item.LeafType == CatalogLeafType.PackageDelete)
{
builder.DeletePackage(packageIdentity);
}
else
{
var signature = await _packageFileService.GetPrimarySignatureAsync(item.ToPackageIdentityCommit());
if (signature == null)
{
builder.DeletePackage(packageIdentity);
}
else
{
builder.AddPackage(packageIdentity, item, signature);
}
}
}
builder.VerifyCertificatesAndConnect();
}
private async Task WriteReferencesAsync(
CertificateDataBuilder builder,
string packageId)
{
if (packageId.Contains(ReferenceTracker.Separator, StringComparison.Ordinal))
{
_logger.LogInformation(
$"Skipping writing references package ID '{{Id}}' because it contains a " +
$"'{ReferenceTracker.Separator}'. This is not valid for package IDs.",
packageId);
return;
}
var versionToReferences = new Dictionary<string, IReadOnlySet<SubjectEdge>>();
foreach ((var package, var relationships) in builder.Relationships)
{
if (!relationships.Any())
{
versionToReferences.Add(package.Version, ReferenceTracker.EmptySet);
continue;
}
var references = new HashSet<SubjectEdge>();
foreach ((var fingerprint, var types) in relationships)
{
references.Add(new SubjectEdge(
fingerprint,
string.Empty,
MessagePackSerializer.Serialize(types, NuGetInsightsMessagePack.Options)));
}
versionToReferences.Add(package.Version, references);
}
await _referenceTracker.SetReferencesAsync(
_options.Value.PackageToCertificateTableName,
_options.Value.CertificateToPackageTableName,
ReferenceTypes.Package,
ReferenceTypes.Certificate,
packageId,
versionToReferences);
}
private async Task<List<PackageCertificateRecord>> GetPackageCertificateRecordsAsync(
CertificateDataBuilder builder,
string packageId,
IReadOnlyList<ICatalogLeafItem> leafItems)
{
var records = new List<PackageCertificateRecord>();
foreach (var item in leafItems)
{
var packageIdentity = GetIdentity(packageId, item);
if (item.LeafType == CatalogLeafType.PackageDelete)
{
var leaf = (PackageDeleteCatalogLeaf)await _catalogClient.GetCatalogLeafAsync(item.LeafType, item.Url);
records.Add(new PackageCertificateRecord(builder.ScanId, builder.ScanTimestamp, leaf));
}
else
{
var leaf = (PackageDetailsCatalogLeaf)await _catalogClient.GetCatalogLeafAsync(item.LeafType, item.Url);
records.AddRange(builder
.Relationships[packageIdentity]
.Select(pair => new PackageCertificateRecord(
builder.ScanId,
builder.ScanTimestamp,
leaf)
{
Fingerprint = pair.Key,
RelationshipTypes = pair.Value,
}));
}
}
return records;
}
private List<CertificateRecord> GetCertificateRecords(
CertificateDataBuilder builder)
{
return builder
.FingerprintToInfo
.Values
.Select(x => new CertificateRecord(builder.ScanId, builder.ScanTimestamp, x))
.ToList();
}
private static PackageIdentity GetIdentity(string packageId, ICatalogLeafItem item)
{
return new PackageIdentity(
packageId,
item.ParsePackageVersion().ToNormalizedString().ToLowerInvariant());
}
}
}