Filter repository signatures from Validate Certificate, Revalidate jobs (#402)

joelverhagen · joelverhagen · commit c67227ee7874 · 2018-04-13T15:42:22.000-07:00
Address NuGet/Engineering#1198
diff --git a/src/NuGet.Services.Validation.Orchestrator/PackageSigning/ValidateCertificate/PackageCertificatesValidator.cs b/src/NuGet.Services.Validation.Orchestrator/PackageSigning/ValidateCertificate/PackageCertificatesValidator.cs
@@ -236,6 +236,7 @@ private Task<PackageSignature> FindSignatureAsync(IValidationRequest request)
                         .PackageSignatures
                         .Include(s => s.EndCertificate)
                         .Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))
+                        .Where(s => s.Type == PackageSignatureType.Author)
                         .SingleAsync(s => s.PackageKey == request.PackageKey);
         }
 
diff --git a/src/Validation.PackageSigning.RevalidateCertificate/CertificateRevalidator.cs b/src/Validation.PackageSigning.RevalidateCertificate/CertificateRevalidator.cs
@@ -73,6 +73,7 @@ private async Task<List<PackageSignature>> FindPromotableSignaturesAsync()
 
                 var potentialSignatures = await _context.PackageSignatures
                     .Where(s => s.Status == PackageSignatureStatus.InGracePeriod)
+                    .Where(s => s.Type == PackageSignatureType.Author)
                     .Include(s => s.EndCertificate)
                     .Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))
                     .OrderBy(s => s.CreatedAt)
diff --git a/src/Validation.PackageSigning.ValidateCertificate/CertificateValidationService.cs b/src/Validation.PackageSigning.ValidateCertificate/CertificateValidationService.cs
@@ -286,11 +286,13 @@ private Task<List<PackageSignature>> FindSignaturesAsync(EndCertificate certific
             {
                 case EndCertificateUse.CodeSigning:
                     packageSignatures = _context.PackageSignatures
+                                                .Where(s => s.Type == PackageSignatureType.Author)
                                                 .Where(s => s.EndCertificate.Thumbprint == certificate.Thumbprint);
                     break;
 
                 case EndCertificateUse.Timestamping:
                     packageSignatures = _context.PackageSignatures
+                                                .Where(s => s.Type == PackageSignatureType.Author)
                                                 .Where(s => s.TrustedTimestamps.Any(t => t.EndCertificate.Thumbprint == certificate.Thumbprint));
 
                     break;
diff --git a/tests/NuGet.Services.Validation.Orchestrator.Tests/PackageSigning/ValidateCertificate/PackageCertificatesValidatorFacts.cs b/tests/NuGet.Services.Validation.Orchestrator.Tests/PackageSigning/ValidateCertificate/PackageCertificatesValidatorFacts.cs
@@ -160,6 +160,7 @@ public async Task ReturnsExpectedStatusForCertificateValidations(ValidationStatu
                     PackageKey = PackageKey,
                     Status = PackageSignatureStatus.Unknown,
                     EndCertificate = certificate,
+                    Type = PackageSignatureType.Author,
                 };
 
                 certificate.PackageSignatures = new[] { packageSignature };
@@ -271,6 +272,7 @@ public async Task InvalidSignatureFailsValidation(
                     Status = packageSignatureStatus,
                     PackageSigningState = packageSigningState,
                     EndCertificate = certificate,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -335,6 +337,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
                                 EndCertificate = cert1SecondAgo,
                             }
                         },
+                        Type = PackageSignatureType.Author,
                     },
                 };
 
@@ -354,6 +357,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
                                 EndCertificate = cert1SecondAgo,
                             }
                         },
+                        Type = PackageSignatureType.Author,
                     },
                 };
 
@@ -373,6 +377,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
                                 EndCertificate = cert1YearAgo,
                             }
                         },
+                        Type = PackageSignatureType.Author,
                     },
                 };
 
@@ -396,6 +401,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
                                 EndCertificate = cert1YearAgo,
                             }
                         },
+                        Type = PackageSignatureType.Author,
                     },
                 };
 
@@ -415,6 +421,7 @@ public static IEnumerable<object[]> ValidSignaturesArePromotedData()
                                 EndCertificate = cert1SecondAgo,
                             }
                         },
+                        Type = PackageSignatureType.Author,
                     },
                 };
             }
@@ -489,7 +496,8 @@ public async Task ThrowsIfValidSignaturesHasTimestampWithRevokedCertificate()
                 var signature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Unknown
+                    Status = PackageSignatureStatus.Unknown,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -630,7 +638,8 @@ public async Task ReturnsSucceededIfAllCertificatesAlreadyValidated()
                 var packageSignature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Valid
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -712,7 +721,8 @@ public async Task ReturnsIncompleteIfThereAreCertificatesToValidate()
                 var packageSignature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Valid
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -792,7 +802,8 @@ public async Task CertificateRevokedAfterPackageWasSignedDoesntInvalidateSignatu
                 var packageSignature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Valid
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -875,7 +886,8 @@ public async Task InvalidCertificatesAlwaysInvalidateSignature()
                 var packageSignature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Valid
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -1051,7 +1063,8 @@ public async Task OnRevalidationAllNonRevokedCertificatesAreVerified(
                 var packageSignature = new PackageSignature
                 {
                     PackageKey = PackageKey,
-                    Status = PackageSignatureStatus.Valid
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -1122,6 +1135,7 @@ public async Task RevokedSignaturesAreInvalidated()
                 {
                     PackageKey = PackageKey,
                     Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
                 };
 
                 var timestamp = new TrustedTimestamp
@@ -1167,6 +1181,98 @@ public async Task RevokedSignaturesAreInvalidated()
                 Assert.Equal(PackageSigningStatus.Invalid, packageSigningState.SigningStatus);
             }
 
+            [Theory]
+            [InlineData(PackageSignatureType.Repository)]
+            [InlineData((PackageSignatureType)0)]
+            public async Task NonAuthorSignaturesAreIgnored(PackageSignatureType type)
+            {
+                // Arrange
+                var validatorStatus = new ValidatorStatus
+                {
+                    ValidationId = ValidationId,
+                    ValidatorName = nameof(PackageCertificatesValidator),
+                    PackageKey = PackageKey,
+                    State = ValidationStatus.NotStarted,
+                    ValidatorIssues = new List<ValidatorIssue>(),
+                };
+
+                var packageSigningState = new PackageSigningState
+                {
+                    PackageKey = PackageKey,
+                    PackageId = PackageId,
+                    PackageNormalizedVersion = PackageNormalizedVersion,
+                    SigningStatus = PackageSigningStatus.Valid,
+                };
+
+                var authorPackageSignature = new PackageSignature
+                {
+                    PackageKey = PackageKey,
+                    Status = PackageSignatureStatus.Valid,
+                    Type = PackageSignatureType.Author,
+                };
+
+                var repositoryPackageSignature = new PackageSignature
+                {
+                    PackageKey = PackageKey,
+                    Status = PackageSignatureStatus.Unknown,
+                    Type = type,
+                };
+
+                var timestamp = new TrustedTimestamp
+                {
+                    Value = DateTime.UtcNow.AddDays(-10)
+                };
+
+                var signatureCertificate = new EndCertificate
+                {
+                    Key = 123,
+                    Status = EndCertificateStatus.Good,
+                    StatusUpdateTime = DateTime.UtcNow.AddSeconds(-10),
+                    NextStatusUpdateTime = DateTime.UtcNow.AddDays(1),
+                    LastVerificationTime = DateTime.UtcNow.AddSeconds(-10),
+                    RevocationTime = null,
+                    ValidationFailures = 0,
+                };
+
+                var timestampCertificate = new EndCertificate
+                {
+                    Key = 456,
+                    Status = EndCertificateStatus.Good,
+                    StatusUpdateTime = DateTime.UtcNow.AddSeconds(-10),
+                    NextStatusUpdateTime = DateTime.UtcNow.AddDays(1),
+                    LastVerificationTime = DateTime.UtcNow.AddSeconds(-10),
+                    RevocationTime = null,
+                    ValidationFailures = 0,
+                };
+
+                packageSigningState.PackageSignatures = new[] { authorPackageSignature, repositoryPackageSignature };
+                authorPackageSignature.PackageSigningState = packageSigningState;
+                authorPackageSignature.TrustedTimestamps = new[] { timestamp };
+                authorPackageSignature.EndCertificate = signatureCertificate;
+                timestamp.EndCertificate = timestampCertificate;
+                signatureCertificate.PackageSignatures = new[] { authorPackageSignature };
+                timestampCertificate.TrustedTimestamps = new[] { timestamp };
+
+                _validationContext.Mock(
+                    validatorStatuses: new[] { validatorStatus },
+                    packageSigningStates: new[] { packageSigningState },
+                    packageSignatures: new[] { authorPackageSignature, repositoryPackageSignature },
+                    trustedTimestamps: new[] { timestamp },
+                    endCertificates: new[] { signatureCertificate, timestampCertificate });
+
+                // Act & Assert
+                var actual = await _target.StartAsync(_validationRequest.Object);
+
+                _certificateVerifier.Verify(v => v.EnqueueVerificationAsync(It.IsAny<IValidationRequest>(), It.IsAny<EndCertificate>()), Times.Never);
+                _validationContext.Verify(c => c.SaveChangesAsync(), Times.Once);
+                _telemetryService.Verify(
+                    x => x.TrackDurationToStartPackageCertificatesValidator(It.IsAny<TimeSpan>()),
+                    Times.Never);
+
+                Assert.Equal(ValidationStatus.Succeeded, actual.Status);
+                Assert.Equal(ValidationStatus.Succeeded, validatorStatus.State);
+            }
+
             public static IEnumerable<object[]> ValidationStatusesThatAreStarted = validationStatusesThatAreStarted.Select(s => new object[] { s });
         }
 
diff --git a/tests/Validation.PackageSigning.RevalidateCertificate.Tests/CertificateRevalidatorFacts.cs b/tests/Validation.PackageSigning.RevalidateCertificate.Tests/CertificateRevalidatorFacts.cs
@@ -55,6 +55,26 @@ public async Task DoesNoPromotionsIfNonePromotable()
                 Assert.Equal(PackageSignatureStatus.InGracePeriod, signature2.Status);
             }
 
+            [Theory]
+            [InlineData(PackageSignatureType.Repository)]
+            [InlineData((PackageSignatureType)0)]
+            public async Task DoesNotPromoteNonAuthorSignatures(PackageSignatureType type)
+            {
+                // Arrange - make signature nonpromotable due to repository type.
+                var signature = PromotableSignature;
+
+                signature.Type = type;
+
+                _context.Mock(packageSignatures: new[] { signature });
+
+                // Act & Assert
+                await _target.PromoteSignaturesAsync();
+
+                _context.Verify(c => c.SaveChangesAsync(), Times.Never);
+
+                Assert.Equal(PackageSignatureStatus.InGracePeriod, signature.Status);
+            }
+
             [Fact]
             public async Task PromotesSignaturesIfPossible()
             {
@@ -371,7 +391,9 @@ public Base()
                                 StatusUpdateTime = DateTime.UtcNow,
                             }
                         }
-                    }
+                    },
+
+                    Type = PackageSignatureType.Author,
                 };
 
             protected EndCertificate StaleCertificate =>
diff --git a/tests/Validation.PackageSigning.ValidateCertificate.Tests/CertificateValidationMessageHandlerIntegrationTests.cs b/tests/Validation.PackageSigning.ValidateCertificate.Tests/CertificateValidationMessageHandlerIntegrationTests.cs
@@ -72,9 +72,21 @@ public async Task ValidateSigningCertificate(
             var packageSigningState2 = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };
             var packageSigningState3 = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };
 
-            var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown };
-            var signatureInGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod };
-            var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid };
+            var signatureAtIngestion = new PackageSignature
+            {
+                Status = PackageSignatureStatus.Unknown,
+                Type = PackageSignatureType.Author,
+            };
+            var signatureInGracePeriod = new PackageSignature
+            {
+                Status = PackageSignatureStatus.InGracePeriod,
+                Type = PackageSignatureType.Author,
+            };
+            var signatureAfterGracePeriod = new PackageSignature
+            {
+                Status = PackageSignatureStatus.Valid,
+                Type = PackageSignatureType.Author,
+            };
 
             var trustedTimestamp1 = new TrustedTimestamp { Status = TrustedTimestampStatus.Valid, Value = signatureTime };
             var trustedTimestamp2 = new TrustedTimestamp { Status = TrustedTimestampStatus.Valid, Value = signatureTime };
@@ -212,9 +224,21 @@ public async Task ValidateTimestampingCertificate()
 
             var packageSigningState = new PackageSigningState { SigningStatus = PackageSigningStatus.Valid };
 
-            var signatureAtIngestion = new PackageSignature { Status = PackageSignatureStatus.Unknown };
-            var signatureInGracePeriod = new PackageSignature { Status = PackageSignatureStatus.InGracePeriod };
-            var signatureAfterGracePeriod = new PackageSignature { Status = PackageSignatureStatus.Valid };
+            var signatureAtIngestion = new PackageSignature
+            {
+                Status = PackageSignatureStatus.Unknown,
+                Type = PackageSignatureType.Author,
+            };
+            var signatureInGracePeriod = new PackageSignature
+            {
+                Status = PackageSignatureStatus.InGracePeriod,
+                Type = PackageSignatureType.Author,
+            };
+            var signatureAfterGracePeriod = new PackageSignature
+            {
+                Status = PackageSignatureStatus.Valid,
+                Type = PackageSignatureType.Author,
+            };
 
             var endCertificate = new EndCertificate
             {
diff --git a/tests/Validation.PackageSigning.ValidateCertificate.Tests/CertificateValidationServiceFacts.cs b/tests/Validation.PackageSigning.ValidateCertificate.Tests/CertificateValidationServiceFacts.cs

Original file line number	Diff line number	Diff line change
`@@ -236,6 +236,7 @@ private Task<PackageSignature> FindSignatureAsync(IValidationRequest request)`
`236`	`236`	`.PackageSignatures`
`237`	`237`	`.Include(s => s.EndCertificate)`
`238`	`238`	`.Include(s => s.TrustedTimestamps.Select(t => t.EndCertificate))`
	`239`	`+ .Where(s => s.Type == PackageSignatureType.Author)`
`239`	`240`	`.SingleAsync(s => s.PackageKey == request.PackageKey);`
`240`	`241`	`}`
`241`	`242`