private async Task <ValidatorStatus> StartInternalAsync(IValidationRequest request)
{
var status = await _validatorStateService.GetStatusAsync(request);
if (status.State != ValidationStatus.NotStarted)
{
_logger.LogWarning(
"Package Certificates validation with validationId {ValidationId} ({PackageId} {PackageVersion}) has already started.",
request.ValidationId,
request.PackageId,
request.PackageVersion);
return(status);
}
var package = await FindPackageSigningStateAsync(request);
if (package.SigningStatus == PackageSigningStatus.Unsigned)
{
_logger.LogInformation(
"Package {PackageId} {PackageVersion} is unsigned, no additional validations necessary",
request.PackageId,
request.PackageVersion);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Succeeded));
}
else if (package.SigningStatus == PackageSigningStatus.Invalid)
{
// Do NOT validate the package if its status is already marked as invalid. To revalidate the package,
// it MUST first pass the PackageSigningValidator. The PackageSigningValidator will mark the package's
// signing status as Valid, thereby allowing this validator to revalidate the package if necessary.
_logger.LogError(
Error.PackageCertificateValidationAlreadyFailed,
"Package {PackageId} {PackageVersion} has already failed validation",
request.PackageId,
request.PackageVersion);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Failed));
}
var isRevalidationRequest = await _validatorStateService.IsRevalidationRequestAsync(request);
// Find the signatures used to sign the package and see if any certificates known to be revoked
// invalidate any of these signatures. Note that a revoked certificate is assumed to remain
// revoked forever.
var signature = await FindSignatureAsync(request);
if (ShouldInvalidateSignature(signature, isRevalidationRequest))
{
InvalidatePackageSignature(request, package, signature);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Failed));
}
// Find the certificates that must be validated. A certificate must be validated if it has never been validated,
// or, if it hasn't been validated in a while (and it hasn't been revoked).
var certificates = FindCertificatesToValidateAsync(signature, isRevalidationRequest);
if (certificates.Any())
{
var stopwatch = Stopwatch.StartNew();
await StartCertificateValidationsAsync(request, certificates);
var result = await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Incomplete);
_telemetryService.TrackDurationToStartPackageCertificatesValidator(stopwatch.Elapsed);
return(result);
}
else
{
PromoteSignature(request, signature);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Succeeded));
}
}
public async Task <ValidationStatus> StartValidationAsync(IValidationRequest request)
{
var status = await _validatorStateService.GetStatusAsync(request);
if (status.State != ValidationStatus.NotStarted)
{
_logger.LogWarning(
"Package Certificates validation with validationId {ValidationId} ({PackageId} {PackageVersion}) has already started.",
request.ValidationId,
request.PackageId,
request.PackageVersion);
return(status.State);
}
var package = await FindPackageSigningStateAsync(request);
if (package.SigningStatus == PackageSigningStatus.Unsigned)
{
_logger.LogInformation(
"Package {PackageId} {PackageVersion} is unsigned, no additional validations necessary",
request.PackageId,
request.PackageVersion);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Succeeded));
}
else if (package.SigningStatus == PackageSigningStatus.Invalid)
{
// Do NOT validate the package if its status is already marked as invalid. To revalidate the package,
// it MUST first pass the PackageSigningValidator. The PackageSigningValidator will mark the package's
// signing status as Valid, thereby allowing this validator to revalidate the package if necessary.
_logger.LogError(
Error.PackageCertificateValidationAlreadyFailed,
"Package {PackageId} {PackageVersion} has already failed validation",
request.PackageId,
request.PackageVersion);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Failed));
}
var isRevalidationRequest = await _validatorStateService.IsRevalidationRequestAsync(request);
// Find the signatures used to sign the package and see if any certificates known to be revoked
// invalidate any of these signatures. Note that a revoked certificate is assumed to remain
// revoked forever.
var signatures = await FindSignaturesAsync(request);
var invalidSignatures = FindSignaturesToInvalidate(signatures, isRevalidationRequest);
if (invalidSignatures.Any())
{
InvalidatePackageSignatures(request, package, invalidSignatures);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Failed));
}
// Find the certificates that must be validated. A certificate must be validated if it has never been validated,
// or, if it hasn't been validated in a while (and it hasn't been revoked).
var certificates = FindCertificatesToValidateAsync(signatures, isRevalidationRequest);
if (certificates.Any())
{
await StartCertificateValidationsAsync(request, certificates);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Incomplete));
}
else
{
_logger.LogInformation(
"All certificates for package {PackageId} {PackageVersion} have already been validated, no additional validations necessary",
request.PackageId,
request.PackageVersion);
// Promote signatures out of the "Unknown" state to either "Valid" or "InGracePeriod".
PromoteSignatures(signatures);
return(await _validatorStateService.TryAddValidatorStatusAsync(request, status, ValidationStatus.Succeeded));
}
}