Skip to content
This repository was archived by the owner on Jul 30, 2024. It is now read-only.

Commit 0a481b3

Browse files
dtiveldtivel
authored
Merge pull request #416 from NuGet/dev
[ReleasePrep][2018.05.02]RI of dev into master
2 parents 88e57ec + 8d6d375 commit 0a481b3

10 files changed

Lines changed: 454 additions & 92 deletions

File tree

src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@
107107
</ItemGroup>
108108
<ItemGroup>
109109
<PackageReference Include="NuGet.Services.Validation.Issues">
110-
<Version>2.23.0</Version>
110+
<Version>2.25.0-master-30191</Version>
111111
</PackageReference>
112112
</ItemGroup>
113113
<ItemGroup>

src/Validation.Common.Job/Validation.Common.Job.csproj

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -100,10 +100,10 @@
100100
<Version>2.23.0</Version>
101101
</PackageReference>
102102
<PackageReference Include="NuGet.Services.Validation">
103-
<Version>2.23.0</Version>
103+
<Version>2.25.0-master-29664</Version>
104104
</PackageReference>
105105
<PackageReference Include="NuGetGallery.Core">
106-
<Version>4.4.4-dev-26726</Version>
106+
<Version>4.4.4-dev-29942</Version>
107107
</PackageReference>
108108
<PackageReference Include="Serilog">
109109
<Version>2.5.0</Version>

src/Validation.Common.Job/Validation.Common.Job.nuspec

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,8 +19,8 @@
1919
<dependency id="NuGet.Services.Configuration" version="2.23.0" />
2020
<dependency id="NuGet.Services.Logging" version="2.23.0" />
2121
<dependency id="NuGet.Services.Storage" version="2.23.0" />
22-
<dependency id="NuGet.Services.Validation" version="2.23.0" />
23-
<dependency id="NuGetGallery.Core" version="4.4.4-dev-26726" />
22+
<dependency id="NuGet.Services.Validation" version="2.25.0-master-29664" />
23+
<dependency id="NuGetGallery.Core" version="4.4.4-dev-29942" />
2424
<dependency id="Serilog" version="2.5.0" />
2525
<dependency id="System.Net.Http" version="4.3.3" />
2626
</dependencies>

src/Validation.PackageSigning.ProcessSignature/Job.cs

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
// Copyright (c) .NET Foundation. All rights reserved.
22
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
33

4-
using System;
54
using Autofac;
65
using Microsoft.Extensions.Configuration;
76
using Microsoft.Extensions.DependencyInjection;
87
using Microsoft.Extensions.Logging;
98
using Microsoft.Extensions.Options;
109
using Microsoft.WindowsAzure.Storage;
10+
using NuGet.Jobs.Configuration;
1111
using NuGet.Jobs.Validation.PackageSigning.Configuration;
1212
using NuGet.Jobs.Validation.PackageSigning.Messages;
1313
using NuGet.Jobs.Validation.PackageSigning.Storage;
@@ -30,7 +30,12 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
3030

3131
services.AddTransient<ISubscriptionProcessor<SignatureValidationMessage>, SubscriptionProcessor<SignatureValidationMessage>>();
3232

33-
services.AddTransient<IEntityRepository<Certificate>, EntityRepository<Certificate>>();
33+
services.AddScoped<IEntitiesContext>(serviceProvider =>
34+
new EntitiesContext(
35+
serviceProvider.GetRequiredService<IOptionsSnapshot<GalleryDbConfiguration>>().Value.ConnectionString,
36+
readOnly: false));
37+
services.Add(ServiceDescriptor.Transient(typeof(IEntityRepository<>), typeof(EntityRepository<>)));
38+
services.AddTransient<ICorePackageService, CorePackageService>();
3439

3540
services.AddTransient<ITelemetryService, TelemetryService>();
3641

@@ -61,7 +66,7 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
6166
PackageSignatureVerifierFactory.CreateFull(),
6267
p.GetRequiredService<ISignaturePartsExtractor>(),
6368
p.GetRequiredService<IProcessorPackageFileService>(),
64-
p.GetRequiredService<IEntityRepository<Certificate>>(),
69+
p.GetRequiredService<ICorePackageService>(),
6570
p.GetRequiredService<ITelemetryService>(),
6671
p.GetRequiredService<ILogger<SignatureValidator>>()));
6772
}

src/Validation.PackageSigning.ProcessSignature/SignatureValidator.cs

Lines changed: 35 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
using NuGet.Services.Validation;
2020
using NuGet.Services.Validation.Issues;
2121
using NuGetGallery;
22+
using NuGetGallery.Extensions;
2223

2324
namespace NuGet.Jobs.Validation.PackageSigning.ProcessSignature
2425
{
@@ -32,7 +33,7 @@ public class SignatureValidator : ISignatureValidator
3233
private readonly IPackageSignatureVerifier _fullPackageSignatureVerifier;
3334
private readonly ISignaturePartsExtractor _signaturePartsExtractor;
3435
private readonly IProcessorPackageFileService _packageFileService;
35-
private readonly IEntityRepository<Certificate> _certificates;
36+
private readonly ICorePackageService _corePackageService;
3637
private readonly ITelemetryService _telemetryService;
3738
private readonly ILogger<SignatureValidator> _logger;
3839

@@ -42,7 +43,7 @@ public SignatureValidator(
4243
IPackageSignatureVerifier fullPackageSignatureVerifier,
4344
ISignaturePartsExtractor signaturePartsExtractor,
4445
IProcessorPackageFileService packageFileService,
45-
IEntityRepository<Certificate> certificates,
46+
ICorePackageService corePackageService,
4647
ITelemetryService telemetryService,
4748
ILogger<SignatureValidator> logger)
4849
{
@@ -51,7 +52,7 @@ public SignatureValidator(
5152
_fullPackageSignatureVerifier = fullPackageSignatureVerifier ?? throw new ArgumentNullException(nameof(fullPackageSignatureVerifier));
5253
_signaturePartsExtractor = signaturePartsExtractor ?? throw new ArgumentNullException(nameof(signaturePartsExtractor));
5354
_packageFileService = packageFileService ?? throw new ArgumentNullException(nameof(packageFileService));
54-
_certificates = certificates ?? throw new ArgumentNullException(nameof(certificates));
55+
_corePackageService = corePackageService ?? throw new ArgumentNullException(nameof(corePackageService));
5556
_telemetryService = telemetryService ?? throw new ArgumentNullException(nameof(telemetryService));
5657
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
5758
}
@@ -71,20 +72,30 @@ public async Task<SignatureValidatorResult> ValidateAsync(
7172
return await RejectAsync(context, ValidationIssue.PackageIsZip64);
7273
}
7374

74-
// Validate signed packages and accept unsigned packages.
7575
if (await context.PackageReader.IsSignedAsync(cancellationToken))
7676
{
7777
return await HandleSignedPackageAsync(context);
7878
}
79-
else
80-
{
81-
return await HandleUnsignedPackageAsync(context);
82-
}
79+
80+
return await HandleUnsignedPackageAsync(context);
8381
}
8482
}
85-
83+
8684
private async Task<SignatureValidatorResult> HandleUnsignedPackageAsync(Context context)
8785
{
86+
var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);
87+
88+
if (packageRegistration.IsSigningRequired())
89+
{
90+
_logger.LogWarning(
91+
"Package {PackageId} {PackageVersion} for validation {ValidationId} must be signed but is unsigned.",
92+
context.Message.PackageId,
93+
context.Message.PackageVersion,
94+
context.Message.ValidationId);
95+
96+
return await RejectAsync(context, ValidationIssue.PackageIsNotSigned);
97+
}
98+
8899
_logger.LogInformation(
89100
"Package {PackageId} {PackageVersion} is unsigned, no additional validations necessary for {ValidationId}.",
90101
context.Message.PackageId,
@@ -178,7 +189,7 @@ private async Task<SignatureValidatorResult> PerformInitialValidationsAsync(Cont
178189

179190
// We now know we can safely read the signature.
180191
context.Signature = await context.PackageReader.GetPrimarySignatureAsync(context.CancellationToken);
181-
192+
182193
// Only reject counter signatures that have the author commitment type. Repository counter signatures
183194
// are removed and replaced if they are invalid and valid ones are left as-is. Counter signatures
184195
// without author or repository signature commitment type are not produced by the client but
@@ -319,16 +330,16 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
319330
}
320331

321332
// Block packages with any unknown signing certificates.
322-
var signingFingerprint = context.Signature
333+
var signingCertificate = context.Signature
323334
.SignerInfo
324-
.Certificate
325-
.ComputeSHA256Thumbprint();
326-
var isKnownCertificate = _certificates
327-
.GetAll()
328-
.Any(c => signingFingerprint == c.Thumbprint);
329-
if (!isKnownCertificate)
335+
.Certificate;
336+
var signingFingerprint = signingCertificate.ComputeSHA256Thumbprint();
337+
338+
var packageRegistration = _corePackageService.FindPackageRegistrationById(context.Message.PackageId);
339+
340+
if (!packageRegistration.IsAcceptableSigningCertificate(signingFingerprint))
330341
{
331-
_logger.LogInformation(
342+
_logger.LogWarning(
332343
"Signed package {PackageId} {PackageVersion} is blocked for validation {ValidationId} since it has an unknown certificate fingerprint: {UnknownFingerprint}",
333344
context.Message.PackageId,
334345
context.Message.PackageVersion,
@@ -337,7 +348,7 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
337348

338349
return await RejectAsync(
339350
context,
340-
ValidationIssue.PackageIsSigned);
351+
new UnauthorizedCertificateFailure(signingCertificate.Thumbprint.ToLowerInvariant()));
341352
}
342353

343354
// Call the "verify" API, which does the main logic of signature validation.
@@ -357,6 +368,11 @@ private async Task<SignatureValidatorResult> PerformFinalValidationAsync(Context
357368
context.Message.ValidationId,
358369
signingFingerprint);
359370

371+
await _corePackageService.UpdatePackageSigningCertificateAsync(
372+
context.Message.PackageId,
373+
context.Message.PackageVersion,
374+
signingFingerprint);
375+
360376
return null;
361377
}
362378

0 commit comments

Comments
 (0)