public async Task Signer_VerifyOnTamperedPackage_FileDeletedAsync(string policyString)
{
// Arrange
var nupkg = new SimpleTestPackageContext();
var policy = GetSettingsPolicy(policyString);
using (var dir = TestDirectory.Create())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, dir);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
var verifier = new PackageSignatureVerifier(_trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, policy, CancellationToken.None);
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().BeFalse();
resultsWithErrors.Count().Should().Be(1);
totalErrorIssues.Count().Should().Be(1);
totalErrorIssues.First().Code.Should().Be(NuGetLogCode.NU3008);
totalErrorIssues.First().Message.Should().Be(_packageTamperedError);
}
}
}
public async Task Install_TamperedPackage_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
using (var context = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, context.WorkingDirectory);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
var args = new string[]
{
nupkg.Id,
"-Version",
nupkg.Version,
"-DirectDownload",
"-NoCache",
"-Source",
context.WorkingDirectory,
"-OutputDirectory",
Path.Combine(context.WorkingDirectory, "packages")
};
// Act
var result = RunInstall(_nugetExePath, context, expectedExitCode: 1, additionalArgs: args);
// Assert
result.ExitCode.Should().Be(1);
result.Errors.Should().Contain(string.Format(_NU3008, SigningTestUtility.AddSignatureLogPrefix(_NU3008Message, nupkg.Identity, context.WorkingDirectory)));
result.AllOutput.Should().Contain($"WARNING: {string.Format(_NU3027, SigningTestUtility.AddSignatureLogPrefix(_NU3027Message, nupkg.Identity, context.WorkingDirectory))}");
}
}
public async Task Restore_TamperedPackage_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
using (var pathContext = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
// Set up solution, project, and packages
var solution = new SimpleTestSolutionContext(pathContext.SolutionRoot);
var projectA = SimpleTestProjectContext.CreateNETCore(
"a",
pathContext.SolutionRoot,
NuGetFramework.Parse("NETStandard2.0"));
var packageX = new SimpleTestPackageContext("X", "9.0.0");
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, packageX, pathContext.PackageSource);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
projectA.AddPackageToAllFrameworks(packageX);
solution.Projects.Add(projectA);
solution.Create(pathContext.SolutionRoot);
var args = new string[]
{
projectA.ProjectPath,
"-Source",
pathContext.PackageSource
};
// Act
var result = RunRestore(_nugetExePath, pathContext, expectedExitCode: 1, additionalArgs: args);
var reader = new LockFileFormat();
var lockFile = reader.Read(projectA.AssetsFileOutputPath);
var errors = lockFile.LogMessages.Where(m => m.Level == LogLevel.Error);
var warnings = lockFile.LogMessages.Where(m => m.Level == LogLevel.Warning);
// Assert
result.ExitCode.Should().Be(1);
result.Errors.Should().Contain(_NU3008);
result.AllOutput.Should().Contain($"WARNING: {_NU3027}");
errors.Count().Should().Be(1);
errors.First().Code.Should().Be(NuGetLogCode.NU3008);
errors.First().Message.Should().Be(_NU3008Message);
errors.First().LibraryId.Should().Be(packageX.ToString());
warnings.Count().Should().Be(1);
warnings.First().Code.Should().Be(NuGetLogCode.NU3027);
warnings.First().Message.Should().Be(_NU3027Message);
warnings.First().LibraryId.Should().Be("X.9.0.0");
}
}
public async Task Restore_TamperedPackageInPackagesConfig_FailsWithErrorAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
var packagesConfigContent = "<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<packages>" +
" <package id=\"X\" version=\"9.0.0\" targetFramework=\"net461\" />" +
"</packages>";
using (var pathContext = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(_trustedTestCert.Source.Cert))
{
// Set up solution, project, and packages
var solution = new SimpleTestSolutionContext(pathContext.SolutionRoot);
var projectA = new SimpleTestProjectContext(
"a",
ProjectStyle.PackagesConfig,
pathContext.SolutionRoot);
var packageX = new SimpleTestPackageContext("X", "9.0.0");
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, packageX, pathContext.PackageSource);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
projectA.AddPackageToAllFrameworks(packageX);
solution.Projects.Add(projectA);
solution.Create(pathContext.SolutionRoot);
var packagesConfigPath = Path.Combine(Directory.GetParent(projectA.ProjectPath).FullName, "packages.config");
File.WriteAllBytes(packagesConfigPath, Encoding.ASCII.GetBytes(packagesConfigContent));
var args = new string[]
{
projectA.ProjectPath,
"-Source",
pathContext.PackageSource,
"-PackagesDirectory",
"./packages"
};
// Act
var result = RunRestore(_nugetExePath, pathContext, expectedExitCode: 1, additionalArgs: args);
// Assert
result.ExitCode.Should().Be(1);
result.Errors.Should().Contain(_NU3008);
result.AllOutput.Should().Contain(_NU3027);
}
}
public async Task Install_TamperedAndRevokedCertificateSignaturePackage_FailsAsync()
{
// Arrange
var nupkg = new SimpleTestPackageContext("A", "1.0.0");
var testServer = await _testFixture.GetSigningTestServerAsync();
var certificateAuthority = await _testFixture.GetDefaultTrustedCertificateAuthorityAsync();
var issueOptions = IssueCertificateOptions.CreateDefaultForEndCertificate();
var bcCertificate = certificateAuthority.IssueCertificate(issueOptions);
using (var context = new SimpleTestPathContext())
using (var testCertificate = new X509Certificate2(bcCertificate.GetEncoded()))
{
testCertificate.PrivateKey = DotNetUtilities.ToRSA(issueOptions.KeyPair.Private as RsaPrivateCrtKeyParameters);
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(testCertificate, nupkg, context.WorkingDirectory);
SignedArchiveTestUtility.TamperWithPackage(signedPackagePath);
await certificateAuthority.OcspResponder.WaitForResponseExpirationAsync(bcCertificate);
certificateAuthority.Revoke(
bcCertificate,
RevocationReason.KeyCompromise,
DateTimeOffset.UtcNow.AddSeconds(-1));
var args = new string[]
{
nupkg.Id,
"-Version",
nupkg.Version,
"-DirectDownload",
"-NoCache",
"-Source",
context.WorkingDirectory,
"-OutputDirectory",
Path.Combine(context.WorkingDirectory, "packages")
};
// Act
var result = RunInstall(_nugetExePath, context, expectedExitCode: 1, additionalArgs: args);
// Assert
result.ExitCode.Should().Be(1);
result.Errors.Should().Contain(string.Format(_NU3008, SigningTestUtility.AddSignatureLogPrefix(_NU3008Message, nupkg.Identity, context.WorkingDirectory)));
result.Errors.Should().Contain(string.Format(_NU3012, SigningTestUtility.AddSignatureLogPrefix(_NU3012Message, nupkg.Identity, context.WorkingDirectory)));
result.AllOutput.Should().Contain($"WARNING: {string.Format(_NU3027, SigningTestUtility.AddSignatureLogPrefix(_NU3027Message, nupkg.Identity, context.WorkingDirectory))}");
}
}
public void InstallSignedTamperedPackageFromPMCAndFailForPC(ProjectTemplate projectTemplate)
{
// Arrange
EnsureVisualStudioHost();
var signedPackage = _fixture.SignedTestPackage;
using (var testContext = new ApexTestContext(VisualStudio, projectTemplate, XunitLogger))
{
SimpleTestPackageUtility.CreatePackages(testContext.PackageSource, signedPackage);
SignedArchiveTestUtility.TamperWithPackage(Path.Combine(testContext.PackageSource, signedPackage.PackageName));
var nugetConsole = GetConsole(testContext.Project);
nugetConsole.InstallPackageFromPMC(signedPackage.Id, signedPackage.Version);
nugetConsole.IsMessageFoundInPMC("package integrity check failed").Should().BeTrue("Integrity failed message shown.");
Utils.AssetPackageNotInPackagesConfig(VisualStudio, testContext.Project, signedPackage.Id, signedPackage.Version, XunitLogger);
}
}
public async Task Tampered_InstallFromPMCForPR_FailAsync(ProjectTemplate projectTemplate)
{
// Arrange
EnsureVisualStudioHost();
var signedPackage = _fixture.AuthorSignedTestPackage;
using (var testContext = new ApexTestContext(VisualStudio, projectTemplate, XunitLogger))
{
await SimpleTestPackageUtility.CreatePackagesAsync(testContext.PackageSource, signedPackage);
SignedArchiveTestUtility.TamperWithPackage(Path.Combine(testContext.PackageSource, signedPackage.PackageName));
var nugetConsole = GetConsole(testContext.Project);
nugetConsole.InstallPackageFromPMC(signedPackage.Id, signedPackage.Version);
nugetConsole.IsMessageFoundInPMC("package integrity check failed").Should().BeTrue("Integrity failed message shown.");
testContext.SolutionService.Build();
testContext.NuGetApexTestService.WaitForAutoRestore();
CommonUtility.AssertPackageReferenceDoesNotExist(VisualStudio, testContext.Project, signedPackage.Id, signedPackage.Version, XunitLogger);
}
}
