[Package Signing] Add Revalidate Certificate job (#385)

See https://github.com/NuGet/Engineering/issues/788

Author: loic-sharma

NuGet.Jobs.sln

@@ -115,6 +115,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SnapshotAzureBlob", "src\Sn
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.ProcessSignature.Tests", "tests\Validation.PackageSigning.ProcessSignature.Tests\Validation.PackageSigning.ProcessSignature.Tests.csproj", "{26435822-8938-48C9-96FD-0DCCF8F7CE00}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.RevalidateCertificate", "src\Validation.PackageSigning.RevalidateCertificate\Validation.PackageSigning.RevalidateCertificate.csproj", "{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Validation.PackageSigning.RevalidateCertificate.Tests", "tests\Validation.PackageSigning.RevalidateCertificate.Tests\Validation.PackageSigning.RevalidateCertificate.Tests.csproj", "{64095857-E9E3-4D9C-8769-7E558CD757CB}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -295,6 +299,14 @@ Global
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400}.Release|Any CPU.Build.0 = Release|Any CPU
+		{64095857-E9E3-4D9C-8769-7E558CD757CB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{64095857-E9E3-4D9C-8769-7E558CD757CB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{64095857-E9E3-4D9C-8769-7E558CD757CB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{64095857-E9E3-4D9C-8769-7E558CD757CB}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -343,6 +355,8 @@ Global
 		{DD043977-6BCD-475A-BEE2-8C34309EC622} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
 		{ED2D370C-D921-433A-A0B9-A601F936EDD3} = {FA5644B5-4F08-43F6-86B3-039374312A47}
 		{26435822-8938-48C9-96FD-0DCCF8F7CE00} = {6A776396-02B1-475D-A104-26940ADB04AB}
+		{EA32E1E5-7E7D-44E6-B496-43E1FEDE9400} = {678D7B14-F8BC-4193-99AF-2EE8AA390A02}
+		{64095857-E9E3-4D9C-8769-7E558CD757CB} = {6A776396-02B1-475D-A104-26940ADB04AB}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {284A7AC3-FB43-4F1F-9C9C-2AF0E1F46C2B}

build.ps1

@@ -109,6 +109,7 @@ Invoke-BuildStep 'Set version metadata in AssemblyInfo.cs' { `
             "$PSScriptRoot\src\Stats.CollectAzureChinaCDNLogs\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\Validation.PackageSigning.ProcessSignature\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\Validation.PackageSigning.ValidateCertificate\Properties\AssemblyInfo.g.cs",
+            "$PSScriptRoot\src\Validation.PackageSigning.RevalidateCertificate\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\NuGet.Jobs.Common\Properties\AssemblyInfo.g.cs",
             "$PSScriptRoot\src\Validation.Common.Job\Properties\AssemblyInfo.g.cs"
 
@@ -165,7 +166,8 @@ Invoke-BuildStep 'Creating artifacts' {
             "src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj", `
             "src/Stats.CollectAzureChinaCDNLogs/Stats.CollectAzureChinaCDNLogs.csproj", `
             "src/Validation.PackageSigning.ProcessSignature/Validation.PackageSigning.ProcessSignature.csproj", `
-            "src/Validation.PackageSigning.ValidateCertificate/Validation.PackageSigning.ValidateCertificate.csproj" `
+            "src/Validation.PackageSigning.ValidateCertificate/Validation.PackageSigning.ValidateCertificate.csproj", `
+            "src/Validation.PackageSigning.RevalidateCertificate/Validation.PackageSigning.RevalidateCertificate.csproj" `
             + $ProjectsWithSymbols
 
         Foreach ($Project in $Projects) {

src/NuGet.Services.Validation.Orchestrator/NuGet.Services.Validation.Orchestrator.csproj

@@ -136,4 +136,4 @@
     <SignPath Condition="'$(NuGetBuildPath)' != ''">$(NuGetBuildPath)</SignPath>
   </PropertyGroup>
   <Import Project="$(SignPath)\sign.targets" Condition="Exists('$(SignPath)\sign.targets')" />
-</Project>
+</Project>

src/NuGet.Services.Validation.Orchestrator/PackageSigning/ValidateCertificate/PackageCertificatesValidator.cs

@@ -244,7 +244,7 @@ private Task<PackageSignature> FindSignatureAsync(IValidationRequest request)
         private void PromoteSignature(IValidationRequest request, PackageSignature signature)
         {
 
-            var newSignatureStatus = (IsValidSignatureOutOfGracePeriod(request, signature))
+            var newSignatureStatus = signature.IsPromotable()
                                         ? PackageSignatureStatus.Valid
                                         : PackageSignatureStatus.InGracePeriod;
 

src/Validation.Common.Job/Validation.Common.Job.csproj

@@ -114,4 +114,4 @@
     <SignPath Condition="'$(NuGetBuildPath)' != ''">$(NuGetBuildPath)</SignPath>
   </PropertyGroup>
   <Import Project="$(SignPath)\sign.targets" Condition="Exists('$(SignPath)\sign.targets')" />
-</Project>
+</Project>

src/Validation.PackageSigning.Core/Extensions/PackageSignatureExtensions.cs

@@ -0,0 +1,72 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+
+namespace NuGet.Services.Validation
+{
+    public static class PackageSignatureExtensions
+    {
+        /// <summary>
+        /// Decide whether the valid signature should be considered "Valid" or "InGracePeriod".
+        /// </summary>
+        /// <param name="request">The validation request for the package whose signature should be inspected.</param>
+        /// <param name="signature">The valid signature whose status should be decided.</param>
+        /// <returns>True if the signature should be "Valid", false if it should be "InGracePeriod".</returns>
+        public static bool IsPromotable(this PackageSignature signature)
+        {
+            if (signature == null)
+            {
+                throw new ArgumentNullException(nameof(signature));
+            }
+
+            if (signature.Status == PackageSignatureStatus.Invalid)
+            {
+                throw new ArgumentException($"Package signature {signature.Key} is invalid and cannot be promoted", nameof(signature));
+            }
+
+            var signingTime = signature.TrustedTimestamps.Max(t => t.Value);
+
+            // Ensure the timestamps' certificate statuses are fresher than the signature.
+            foreach (var timestamp in signature.TrustedTimestamps)
+            {
+                // A valid signature should NEVER have a timestamp whose end certificate is revoked.
+                // Note that it is possible for a valid signature to have an invalid certificate as
+                // certain certificate statuses, like "NotTimeNested", do not affect signatures.
+                if (timestamp.EndCertificate.Status == EndCertificateStatus.Revoked)
+                {
+                    throw new ArgumentException(
+                        $"Package signature {signature.Key} is valid but has a timestamp whose end certificate is revoked",
+                        nameof(signature));
+                }
+
+                if (!IsCertificateStatusPastTime(timestamp.EndCertificate, signingTime))
+                {
+                    return false;
+                }
+            }
+
+            // A signature can be valid even if its certificate is revoked as long as the certificate
+            // revocation date begins after the signature was created. The validation pipeline does
+            // not revalidate revoked certificates, thus, a valid package signature with a revoked
+            // certificate is considered out of the grace period regardless of the certificate's
+            // status update time.
+            if (signature.EndCertificate.Status != EndCertificateStatus.Revoked)
+            {
+                // Ensure the signature's certificate status is fresher than the signature.
+                if (!IsCertificateStatusPastTime(signature.EndCertificate, signingTime))
+                {
+                    return false;
+                }
+            }
+
+            return true;
+        }
+
+        private static bool IsCertificateStatusPastTime(EndCertificate certificate, DateTime time)
+        {
+            return (certificate.StatusUpdateTime.HasValue && certificate.StatusUpdateTime > time);
+        }
+    }
+}

src/Validation.PackageSigning.Core/Validation.PackageSigning.Core.csproj

@@ -41,6 +41,7 @@
   <ItemGroup>
     <Compile Include="Configuration\CertificateStoreConfiguration.cs" />
     <Compile Include="Extensions\CryptographicAttributeObjectCollectionExtensions.cs" />
+    <Compile Include="Extensions\PackageSignatureExtensions.cs" />
     <Compile Include="Extensions\X509Certificate2Extensions.cs" />
     <Compile Include="Storage\CertificateStore.cs" />
     <Compile Include="Storage\ICertificateStore.cs" />

src/Validation.PackageSigning.RevalidateCertificate/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/>
+    </startup>
+</configuration>

src/Validation.PackageSigning.RevalidateCertificate/CertificateRevalidator.cs

@@ -0,0 +1,213 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Data.Entity;
+using System.Diagnostics;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
+using NuGet.Services.Validation;
+
+namespace Validation.PackageSigning.RevalidateCertificate
+{
+    public class CertificateRevalidator : ICertificateRevalidator
+    {
+        private readonly RevalidationConfiguration _config;
+        private readonly IValidationEntitiesContext _context;
+        private readonly IValidateCertificateEnqueuer _validationEnqueuer;
+        private readonly ITelemetryService _telemetry;
+        private readonly ILogger<CertificateRevalidator> _logger;
+
+        public CertificateRevalidator(
+            RevalidationConfiguration config,
+            IValidationEntitiesContext context,
+            IValidateCertificateEnqueuer validationEnqueuer,
+            ITelemetryService telemetry,
+            ILogger<CertificateRevalidator> logger)
+        {
+            _config = config ?? throw new ArgumentNullException(nameof(config));
+            _context = context ?? throw new ArgumentNullException(nameof(context));
+            _validationEnqueuer = validationEnqueuer ?? throw new ArgumentNullException(nameof(validationEnqueuer));
+            _telemetry = telemetry ?? throw new ArgumentNullException(nameof(telemetry));
+            _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+        }
+
+        public async Task PromoteSignaturesAsync()
+        {
+            using (_telemetry.TrackPromoteSignaturesDuration())
+            {
+                var promotableSignatures = await FindPromotableSignaturesAsync();
+
+                if (!promotableSignatures.Any())
+                {
+                    return;
+                }
+
+                foreach (var signature in promotableSignatures)
+                {
+                    _logger.LogInformation(
+                        $"Promoting signature {{SignatureKey}} for package {{PackageKey}} to status {nameof(PackageSignatureStatus.Valid)}",
+                        signature.Key,
+                        signature.PackageKey);
+
+                    signature.Status = PackageSignatureStatus.Valid;
+                }
+
+                await _context.SaveChangesAsync();
+            }
+        }
+
+        private async Task<List<PackageSignature>> FindPromotableSignaturesAsync()
+        {
+            var promotableSignatures = new List<PackageSignature>();
+            var signaturesScanned = 0;
+            var scans = 0;
+
+            while (promotableSignatures.Count < _config.SignaturePromotionBatchSize)
+            {
+                var take = Math.Min(
+                    _config.SignaturePromotionScanSize,
+                    _config.SignaturePromotionBatchSize - promotableSignatures.Count);
+
+                var potentialSignatures = await _context.PackageSignatures
+                    .Where(s => s.Status == PackageSignatureStatus.InGracePeriod)
+                    .Include(s => s.EndCertificate)
+                    .Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))
+                    .OrderBy(s => s.CreatedAt)
+                    .Skip(signaturesScanned)
+                    .Take(take)
+                    .ToListAsync();
+
+                promotableSignatures.AddRange(potentialSignatures.Where(s => s.IsPromotable()));
+
+                signaturesScanned += potentialSignatures.Count;
+                scans += 1;
+
+                // We've scanned all potential signatures if the last scan found less potential signatures
+                // than the maximal scan size.
+                if (potentialSignatures.Count < _config.SignaturePromotionScanSize)
+                {
+                    break;
+                }
+            }
+
+            _logger.LogInformation(
+                "Found {PromotableSignaturesCount} promotable signatures after {ScanCount} scans",
+                promotableSignatures.Count,
+                scans);
+
+            return promotableSignatures;
+        }
+
+        public async Task RevalidateStaleCertificatesAsync()
+        {
+            using (_telemetry.TrackCertificateRevalidationDuration())
+            {
+                var certificates = await FindStaleCertificatesAsync();
+
+                if (!certificates.Any())
+                {
+                    _logger.LogInformation("Did not find any stale certificates to revalidate");
+                    return;
+                }
+
+                var validationId = Guid.NewGuid();
+                var stopwatch = Stopwatch.StartNew();
+
+                using (_logger.BeginScope("Starting validation {ValidationId} for {CertificateCount} certificates...",
+                    validationId,
+                    certificates.Count))
+                {
+                    await StartCertificateValidationsAsync(validationId, certificates);
+                    await WaitOnCertificateValidationsAsync(validationId, stopwatch);
+                }
+            }
+        }
+
+        private Task<List<EndCertificate>> FindStaleCertificatesAsync()
+        {
+            // Find certificates that are before the stale cut off. Revoked certificates should never
+            // be revalidated as Certificate Authorities may not drop revocation status.
+            var staleCutoff = DateTime.UtcNow - _config.RevalidationPeriodForCertificates;
+
+            return _context.EndCertificates
+                .Where(c => c.Status != EndCertificateStatus.Revoked)
+                .Where(c => c.LastVerificationTime != null)
+                .Where(c => c.LastVerificationTime < staleCutoff)
+                .OrderBy(c => c.LastVerificationTime)
+                .Take(_config.CertificateRevalidationBatchSize)
+                .ToListAsync();
+        }
+
+        private async Task StartCertificateValidationsAsync(Guid validationId, List<EndCertificate> certificates)
+        {
+            _logger.LogInformation("Starting {Count} certificate validations...", certificates.Count);
+
+            var validationTasks = new List<Task>();
+
+            foreach (var certificate in certificates)
+            {
+                var task = _validationEnqueuer.EnqueueValidationAsync(validationId, certificate);
+
+                validationTasks.Add(task);
+
+                _context.CertificateValidations.Add(new EndCertificateValidation
+                {
+                    ValidationId = validationId,
+                    EndCertificate = certificate,
+                    Status = null,
+                });
+            }
+
+            // Wait until all revalidations have been enqueued, then, persist database changes.
+            await Task.WhenAll(validationTasks);
+            await _context.SaveChangesAsync();
+        }
+
+        private async Task WaitOnCertificateValidationsAsync(Guid validationId, Stopwatch stopwatch)
+        {
+            _logger.LogInformation("Waiting until all certificate validations finish...");
+
+            while (stopwatch.Elapsed < _config.CertificateRevalidationTimeout)
+            {
+                await Task.Delay(_config.CertificateRevalidationPollTime);
+
+                var validationsLeft = await _context.CertificateValidations
+                    .Where(v => v.ValidationId == validationId)
+                    .Where(v => v.Status == null)
+                    .CountAsync();
+
+                if (validationsLeft == 0)
+                {
+                    _logger.LogInformation("All certificate validations finished after {ElapsedTime}", stopwatch.Elapsed);
+
+                    return;
+                }
+                else if (stopwatch.Elapsed >= _config.CertificateRevalidationTrackAfter)
+                {
+                    _logger.LogWarning(
+                        "{ValidationsLeft} certificate validations left after {ElapsedTime} - this is longer than expected!",
+                        validationsLeft,
+                        stopwatch.Elapsed);
+
+                    _telemetry.TrackCertificateRevalidationTakingTooLong();
+                }
+                else
+                {
+                    _logger.LogInformation(
+                        "{ValidationsLeft} certificate validations left after {ElapsedTime}...",
+                        validationsLeft,
+                        stopwatch.Elapsed);
+                }
+            }
+
+            if (stopwatch.Elapsed >= _config.CertificateRevalidationTimeout)
+            {
+                _logger.LogError("Reached certificate revalidation timeout after {ElapsedTime}", stopwatch.Elapsed);
+                _telemetry.TrackCertificateRevalidationReachedTimeout();
+            }
+        }
+    }
+}

src/Validation.PackageSigning.RevalidateCertificate/ICertificateRevalidator.cs

@@ -0,0 +1,14 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+
+namespace Validation.PackageSigning.RevalidateCertificate
+{
+    interface ICertificateRevalidator
+    {
+        Task PromoteSignaturesAsync();
+
+        Task RevalidateStaleCertificatesAsync();
+    }
+}