public void GetAllowListEntries_WithDuplicateEntries_ConflictingAllowUntrustedRoot_WarnsAndSetsToFalse()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<repository name=""repository1"" serviceIndex=""api.v3ServiceIndex.test/json"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""abc"" hashAlgorithm=""SHA512"" allowUntrustedRoot=""false"" />
<owners>nuget;randomOwner</owners>
</repository>
<author name=""author1"">
<certificate fingerprint=""jkl"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" />
</author>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var logger = new Mock <ILogger>();
var entries = TrustedSignersProvider.GetAllowListEntries(settings, logger.Object);
entries.Should().NotBeNull();
entries.Count.Should().Be(4);
logger.Verify(l =>
l.Log(It.Is <ILogMessage>(m =>
m.Level == LogLevel.Warning &&
m.Code == NuGetLogCode.NU3040)));
var expectedEntries = new List <VerificationAllowListEntry>()
{
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "abc", HashAlgorithmName.SHA512, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Author | VerificationTarget.Repository, SignaturePlacement.Any, "abc", HashAlgorithmName.SHA256, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "def", HashAlgorithmName.SHA256, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Author, SignaturePlacement.PrimarySignature, "jkl", HashAlgorithmName.SHA256),
};
entries.Should().BeEquivalentTo(expectedEntries);
}
}
public void GetRestoreSettingsTask_FindConfigInProjectFolder()
{
// Verifies that we include any config file found in the project folder
using (var machineWide = TestDirectory.CreateInTemp())
using (var workingDir = TestDirectory.CreateInTemp())
{
// Arrange
SettingsTestUtils.CreateConfigurationFile(Settings.DefaultSettingsFileName, machineWide, MachineWideSettingsConfig);
var machineWideSettings = new Lazy <IMachineWideSettings>(() => new TestMachineWideSettings(new Settings(machineWide, Settings.DefaultSettingsFileName, isMachineWide: true)));
var innerConfigFile = Path.Combine(workingDir, "sub", Settings.DefaultSettingsFileName);
var outerConfigFile = Path.Combine(workingDir, Settings.DefaultSettingsFileName);
var projectDirectory = Path.GetDirectoryName(innerConfigFile);
Directory.CreateDirectory(projectDirectory);
File.WriteAllText(innerConfigFile, InnerConfig);
File.WriteAllText(outerConfigFile, OuterConfig);
var settings = RestoreSettingsUtils.ReadSettings(null, projectDirectory, null, machineWideSettings);
var innerValue = SettingsUtility.GetValueForAddItem(settings, "SectionName", "inner-key");
var outerValue = SettingsUtility.GetValueForAddItem(settings, "SectionName", "outer-key");
// Assert
Assert.Equal("inner-value", innerValue);
Assert.Equal("outer-value", outerValue);
Assert.True(settings.GetConfigFilePaths().Contains(innerConfigFile));
Assert.True(settings.GetConfigFilePaths().Contains(outerConfigFile));
}
}
public void DotnetTrust_ListAction_Succeeds()
{
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var nugetConfigContent = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""signer"">
<certificate fingerprint=""abcdef"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
var expectedAuthorContent = $@"Registered trusted signers:
1. signer [author]
Certificate fingerprint(s):
SHA256 - abcdef
";
File.WriteAllText(nugetConfigPath, nugetConfigContent);
//Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.WorkingDirectory,
$"nuget trust list --configfile {nugetConfigPath}");
// Assert
result.Success.Should().BeTrue();
SettingsTestUtils.RemoveWhitespace(result.Output).Should().Contain(SettingsTestUtils.RemoveWhitespace(expectedAuthorContent));
}
}
public async Task DotnetTrust_AuthorAction_RelativePathConfileFile_Succeeds(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource);
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<!--To inherit the global NuGet package sources remove the <clear/> line below -->
<clear />
<add key=""NuGetSource"" value=""{pathContext.PackageSource}"" />
</packageSources>
<config>
<add key=""signaturevalidationmode"" value=""accept"" />
</config>
<trustedSigners>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile ..{Path.DirectorySeparatorChar}{nugetConfigFileName}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", "nuget"));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<!--To inherit the global NuGet package sources remove the < clear /> line below-->
<clear/>
<add key = ""NuGetSource"" value = ""{pathContext.PackageSource}""/>
</packageSources >
<config>
<add key = ""signaturevalidationmode"" value = ""accept""/>
</config>
< trustedSigners>
<author name = ""nuget"">
<certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void GetTrustedSigner_WithEmptyTrustedSignersSection_ReturnsEmptyList()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var trustedSignerProvider = new TrustedSignersProvider(settings);
var trustedSigners = trustedSignerProvider.GetTrustedSigners();
trustedSigners.Should().NotBeNull();
trustedSigners.Should().BeEmpty();
}
}
public void TestConfigFileProbingDirectory()
{
// Arrange
var parentConfig = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<fallbackPackageFolders>
<add key=""a"" value=""C:\Temp\a"" />
</fallbackPackageFolders>
</configuration>";
var unreachableConfig = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<fallbackPackageFolders>
<add key=""b"" value=""C:\Temp\b"" />
</fallbackPackageFolders>
</configuration>";
var baseConfig = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<add key=""c"" value=""C:\Temp\c"" />
</packageSources>
</configuration>";
var configName = "NuGet.Config";
using (var machineWide = TestDirectory.CreateInTemp())
using (var mockParentDirectory = TestDirectory.CreateInTemp())
{
// Parent
// Base
// Probe Path
// Unreachable
var basePath = Path.Combine(mockParentDirectory, "base");
var unreachablePath = Path.Combine(mockParentDirectory, "unreachable");
var probePath = Path.Combine(basePath, "probe");
Directory.CreateDirectory(basePath);
Directory.CreateDirectory(unreachablePath);
Directory.CreateDirectory(probePath);
SettingsTestUtils.CreateConfigurationFile(configName, mockParentDirectory, parentConfig);
SettingsTestUtils.CreateConfigurationFile(configName, basePath, baseConfig);
SettingsTestUtils.CreateConfigurationFile(configName, unreachablePath, unreachableConfig);
SettingsTestUtils.CreateConfigurationFile(configName, machineWide, MachineWideSettingsConfig);
var machineWideSettings = new Lazy <IMachineWideSettings>(() => new TestMachineWideSettings(new Settings(machineWide, configName, isMachineWide: true)));
// Test
var settings = RestoreSettingsUtils.ReadSettings(null, probePath, null, machineWideSettings);
var filePaths = settings.GetConfigFilePaths();
Assert.Equal(4, filePaths.Count()); // base, parent, app data + machine wide
Assert.Contains(Path.Combine(basePath, configName), filePaths);
Assert.Contains(Path.Combine(mockParentDirectory, configName), filePaths);
Assert.DoesNotContain(Path.Combine(unreachablePath, configName), filePaths);
}
}
public async Task TrustedSignersCommand_AddTrustedSigner_WithRepositoryCountersignedPackage_AddsItSuccesfullyToConfigAsync(bool allowUntrustedRoot, string owners)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
// Arrange
var package = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var zipStream = await package.CreateAsStreamAsync())
using (var authorTrustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
using (var repoTrustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(repoTrustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var authorSignedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(authorTrustedTestCert.Source.Cert, package, dir);
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(repoTrustedTestCert.Source.Cert, authorSignedPackagePath, dir, new Uri(repoServiceIndex));
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, dir, config);
var nugetConfigPath = Path.Combine(dir, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "-AllowUntrustedRoot" : string.Empty;
var ownersArgs = string.Empty;
var expectedOwners = string.Empty;
if (owners != null)
{
ownersArgs = $"-Owners {owners}";
expectedOwners = $"<owners>{owners}</owners>";
}
// Act
var commandResult = CommandRunner.Run(
_nugetExePath,
dir,
$"trusted-signers add {signedPackagePath} -Name signer -Repository {allowUntrustedRootArg} {ownersArgs} -Config {nugetConfigPath}",
waitForExit: true);
// Assert
commandResult.Success.Should().BeTrue();
commandResult.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "repository", "signer"));
var expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<repository name=""signer"" serviceIndex=""{repoServiceIndex}"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot.ToString().ToLower()}"" />
{expectedOwners}
</repository>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void GetClientPolicy_ReadsAndParsesTrustedSigners()
{
// Arrange
var config = @"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""require"" />
</config>
<trustedSigners>
<author name=""author1"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<repository name=""repository1"" serviceIndex=""https://v3serviceIndex.test/api/json"">
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""true"" />
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var expectedAllowList = new List <VerificationAllowListEntry>()
{
new TrustedSignerAllowListEntry(VerificationTarget.Author, SignaturePlacement.PrimarySignature, "abc", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "def", HashAlgorithmName.SHA256, allowUntrustedRoot: true)
};
var clientPolicyContext = ClientPolicyContext.GetClientPolicy(settings, NullLogger.Instance);
clientPolicyContext.Policy.Should().Be(SignatureValidationMode.Require);
clientPolicyContext.AllowList.Count.Should().Be(2);
clientPolicyContext.AllowList.Should().BeEquivalentTo(expectedAllowList);
var verifierSettings = clientPolicyContext.VerifierSettings;
verifierSettings.AllowUnsigned.Should().BeFalse();
verifierSettings.AllowIllegal.Should().BeFalse();
verifierSettings.AllowUntrusted.Should().BeFalse();
verifierSettings.AllowIgnoreTimestamp.Should().BeTrue();
verifierSettings.AllowMultipleTimestamps.Should().BeTrue();
verifierSettings.AllowNoTimestamp.Should().BeTrue();
verifierSettings.AllowUnknownRevocation.Should().BeTrue();
verifierSettings.ReportUnknownRevocation.Should().BeTrue();
verifierSettings.VerificationTarget.Should().Be(VerificationTarget.All);
verifierSettings.SignaturePlacement.Should().Be(SignaturePlacement.Any);
verifierSettings.RepositoryCountersignatureVerificationBehavior.Should().Be(SignatureVerificationBehavior.IfExistsAndIsNecessary);
verifierSettings.RevocationMode.Should().Be(RevocationMode.Online);
}
}
public async Task ClientPolicies_WithoutSignerInTrustedSignersList_WithMatchingOwnersAsync(SigningTestType signature, string validationMode, bool expectedResult, int expectedErrors, int expectedWarnings)
{
// Arrange
using (var dir = TestDirectory.Create())
using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert))
using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert))
{
var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256);
var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256);
var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate);
var config = $@"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""{validationMode}"" />
</config>
<trustedSigners>
<repository name=""repo1"" serviceIndex=""https://api.v3serviceIndex.test/json"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<owners>owner1</owners>
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config);
// Act and Assert
var settings = new Settings(dir);
var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance);
var trustProviders = new[]
{
new AllowListVerificationProvider()
};
var verifier = new PackageSignatureVerifier(trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, verifierSettings, CancellationToken.None);
var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any());
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.Valid.Should().Be(expectedResult);
totalWarningIssues.Count().Should().Be(expectedWarnings);
totalErrorIssues.Count().Should().Be(expectedErrors);
}
}
}
public void GetAllowListEntries_WithDuplicateFingerprints_DifferentHashAlgorithm_TakesThemAsDifferentEntries()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<repository name=""repository1"" serviceIndex=""api.v3ServiceIndex.test/json"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""abc"" hashAlgorithm=""SHA512"" allowUntrustedRoot=""false"" />
<owners>nuget;randomOwner</owners>
</repository>
<author name=""author1"">
<certificate fingerprint=""jkl"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var entries = TrustedSignersProvider.GetAllowListEntries(settings, NullLogger.Instance);
entries.Should().NotBeNull();
entries.Count.Should().Be(4);
var expectedEntries = new List <VerificationAllowListEntry>()
{
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "abc", HashAlgorithmName.SHA512, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Author | VerificationTarget.Repository, SignaturePlacement.Any, "abc", HashAlgorithmName.SHA256, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "def", HashAlgorithmName.SHA256, owners: new List <string>()
{
"nuget", "randomOwner"
}),
new TrustedSignerAllowListEntry(VerificationTarget.Author, SignaturePlacement.PrimarySignature, "jkl", HashAlgorithmName.SHA256),
};
entries.Should().BeEquivalentTo(expectedEntries);
}
}
public void AddOrUpdateTrustedSigner_WithNewTrustedSigner_AddsItSuccesfully()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<author name=""author1"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<author name=""author2"">
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<repository name=""repo1"" serviceIndex=""https://serviceIndex.test/v3/api.json"">
<certificate fingerprint=""ghi"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
var expectedTrustedSigners = new List <TrustedSignerItem>()
{
new AuthorItem("author1", new CertificateItem("abc", HashAlgorithmName.SHA256)),
new AuthorItem("author2", new CertificateItem("def", HashAlgorithmName.SHA256)),
new RepositoryItem("repo1", "https://serviceIndex.test/v3/api.json", new CertificateItem("ghi", HashAlgorithmName.SHA256)),
new AuthorItem("author3", new CertificateItem("jkl", HashAlgorithmName.SHA256)),
};
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var trustedSignerProvider = new TrustedSignersProvider(settings);
trustedSignerProvider.AddOrUpdateTrustedSigner(new AuthorItem("author3", new CertificateItem("jkl", HashAlgorithmName.SHA256)));
var trustedSigners = trustedSignerProvider.GetTrustedSigners();
trustedSigners.Should().NotBeNull();
trustedSigners.Count.Should().Be(4);
trustedSigners.Should().BeEquivalentTo(
expectedTrustedSigners,
options => options
.Excluding(o => o.Path == "[0].Origin")
.Excluding(o => o.Path == "[1].Origin")
.Excluding(o => o.Path == "[2].Origin")
.Excluding(o => o.Path == "[3].Origin"));
}
}
public void TestSolutionSettings()
{
// Arrange
var subFolderConfig = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<fallbackPackageFolders>
<add key=""a"" value=""C:\Temp\a"" />
</fallbackPackageFolders>
</configuration>";
var baseConfig = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<fallbackPackageFolders>
<add key=""b"" value=""C:\Temp\b"" />
</fallbackPackageFolders>
<packageSources>
<add key=""c"" value=""C:\Temp\c"" />
</packageSources>
</configuration>";
var baseConfigPath = "NuGet.Config";
using (var machineWide = TestDirectory.CreateInTemp())
using (var mockBaseDirectory = TestDirectory.CreateInTemp())
{
var subFolder = Path.Combine(mockBaseDirectory, "sub");
var solutionDirectoryConfig = Path.Combine(mockBaseDirectory, NuGetConstants.NuGetSolutionSettingsFolder);
SettingsTestUtils.CreateConfigurationFile(baseConfigPath, solutionDirectoryConfig, baseConfig);
SettingsTestUtils.CreateConfigurationFile(baseConfigPath, subFolder, subFolderConfig);
SettingsTestUtils.CreateConfigurationFile(baseConfigPath, machineWide, MachineWideSettingsConfig);
var machineWideSettings = new Lazy <IMachineWideSettings>(() => new TestMachineWideSettings(new Settings(machineWide, baseConfigPath, isMachineWide: true)));
// Test
var settings = RestoreSettingsUtils.ReadSettings(mockBaseDirectory, mockBaseDirectory, null, machineWideSettings);
var filePaths = settings.GetConfigFilePaths();
Assert.Equal(3, filePaths.Count()); // Solution, app data + machine wide
Assert.True(filePaths.Contains(Path.Combine(solutionDirectoryConfig, baseConfigPath)));
Assert.True(filePaths.Contains(Path.Combine(machineWide, baseConfigPath)));
// Test
settings = RestoreSettingsUtils.ReadSettings(mockBaseDirectory, mockBaseDirectory, Path.Combine(subFolder, baseConfigPath), machineWideSettings);
filePaths = settings.GetConfigFilePaths();
Assert.Equal(1, filePaths.Count());
Assert.True(filePaths.Contains(Path.Combine(subFolder, baseConfigPath)));
}
}
public async Task DotnetTrust_CertificateFingerPrintAction_WithExistingSigner_AppendSucceeds(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""MyCompanyCert"">
<certificate fingerprint=""abcdefg"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var authorName = "MyCompanyCert";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, "Successfully updated the trusted signer '{0}'.", authorName));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
< trustedSigners>
<author name = ""{authorName}"">
< certificate fingerprint = ""abcdefg"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""false""/>
< certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public async Task DotnetTrust_RepositoryAction_Succeeds(bool allowUntrustedRoot, string owners)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var ownersArgs = string.Empty;
var expectedOwners = string.Empty;
if (owners != null)
{
ownersArgs = $"--owners {owners}";
expectedOwners = $"<owners>{owners}</owners>";
}
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust repository nuget {signedPackagePath} {allowUntrustedRootArg} {ownersArgs} --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
resultAdd.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "repository", "nuget"));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
< trustedSigners>
<repository name = ""nuget"" serviceIndex=""https://serviceindex.test/v3/index.json"">
< certificate fingerprint = ""{certFingerprint}"" hashAlgorithm = ""SHA256"" allowUntrustedRoot = ""{allowUntruestedRootValue}""/>{expectedOwners}
</repository>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void GetTrustedSigner_WithItemsDifferentThanTrustedSigners_IgnoresThemAndOnlyReturnsTrustedSigners()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<add key=""oneKey"" value=""val"" />
<author name=""author1"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<author name=""author2"">
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<certificate fingerprint=""ghi"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<repository name=""repo1"" serviceIndex=""https://serviceIndex.test/v3/api.json"">
<certificate fingerprint=""ghi"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</repository>
<add key=""otherKey"" value=""val"" />
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
var expectedTrustedSigners = new List <TrustedSignerItem>()
{
new AuthorItem("author1", new CertificateItem("abc", HashAlgorithmName.SHA256)),
new AuthorItem("author2", new CertificateItem("def", HashAlgorithmName.SHA256)),
new RepositoryItem("repo1", "https://serviceIndex.test/v3/api.json", new CertificateItem("ghi", HashAlgorithmName.SHA256))
};
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var trustedSignerProvider = new TrustedSignersProvider(settings);
var trustedSigners = trustedSignerProvider.GetTrustedSigners();
trustedSigners.Should().NotBeNull();
trustedSigners.Count.Should().Be(3);
trustedSigners.Should().BeEquivalentTo(
expectedTrustedSigners,
options => options
.Excluding(o => o.SelectedMemberPath == "[0].Origin")
.Excluding(o => o.SelectedMemberPath == "[1].Origin")
.Excluding(o => o.SelectedMemberPath == "[2].Origin"));
}
}
public async Task ClientPolicies_WithNoTrustedSignersListAsync(SigningTestType signature, string validationMode, bool expectedResult, int expectedErrors)
{
// Arrange
using (var dir = TestDirectory.Create())
using (var authorCertificate = new X509Certificate2(_trustedAuthorTestCert.Source.Cert))
using (var repoCertificate = new X509Certificate2(_trustedRepoTestCert.Source.Cert))
{
var authorCertificateFingerprintString = SignatureTestUtility.GetFingerprint(authorCertificate, HashAlgorithmName.SHA256);
var repoCertificateFingerprintString = SignatureTestUtility.GetFingerprint(repoCertificate, HashAlgorithmName.SHA256);
var signedPackagePath = await CreateSignedPackageAsync(dir, signature, authorCertificate, repoCertificate);
var config = $@"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""{validationMode}"" />
</config>
</configuration>";
var nugetConfigPath = "NuGet.Config";
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, dir, config);
// Act and Assert
var settings = new Settings(dir);
var clientPolicyContext = ClientPolicyContext.GetClientPolicy(settings, NullLogger.Instance);
var trustProviders = new[]
{
new AllowListVerificationProvider(clientPolicyContext.AllowList, requireNonEmptyAllowList: clientPolicyContext.Policy == SignatureValidationMode.Require)
};
var verifier = new PackageSignatureVerifier(trustProviders);
using (var packageReader = new PackageArchiveReader(signedPackagePath))
{
// Act
var result = await verifier.VerifySignaturesAsync(packageReader, clientPolicyContext.VerifierSettings, CancellationToken.None);
var resultsWithWarnings = result.Results.Where(r => r.GetWarningIssues().Any());
var resultsWithErrors = result.Results.Where(r => r.GetErrorIssues().Any());
var totalWarningIssues = resultsWithWarnings.SelectMany(r => r.GetWarningIssues());
var totalErrorIssues = resultsWithErrors.SelectMany(r => r.GetErrorIssues());
// Assert
result.IsValid.Should().Be(expectedResult);
totalWarningIssues.Count().Should().Be(0);
totalErrorIssues.Count().Should().Be(expectedErrors);
}
}
}
public async Task TrustedSignersCommand_AddTrustedSigner_WithAuthorSignedPackage_AddsItSuccesfullyToConfigAsync(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
// Arrange
var package = new SimpleTestPackageContext();
using (var dir = TestDirectory.Create())
using (var zipStream = await package.CreateAsStreamAsync())
using (var trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, dir);
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, dir, config);
var nugetConfigPath = Path.Combine(dir, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "-AllowUntrustedRoot" : string.Empty;
// Act
var commandResult = CommandRunner.Run(
_nugetExePath,
dir,
$"trusted-signers add {signedPackagePath} -Name signer -Author {allowUntrustedRootArg} -Config {nugetConfigPath}",
waitForExit: true);
// Assert
commandResult.Success.Should().BeTrue();
commandResult.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", "signer"));
var expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""signer"">
<certificate fingerprint=""{certFingerprint}"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot.ToString().ToLower()}"" />
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void Remove_IgnoresAnyUnexistantTrustedSigner()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<author name=""author1"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<author name=""author2"">
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<repository name=""repo1"" serviceIndex=""https://serviceIndex.test/v3/api.json"">
<certificate fingerprint=""ghi"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
var expectedTrustedSigners = new List <TrustedSignerItem>()
{
new AuthorItem("author2", new CertificateItem("def", HashAlgorithmName.SHA256)),
new RepositoryItem("repo1", "https://serviceIndex.test/v3/api.json", new CertificateItem("ghi", HashAlgorithmName.SHA256))
};
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var trustedSignerProvider = new TrustedSignersProvider(settings);
var trustedSigners = trustedSignerProvider.GetTrustedSigners();
trustedSignerProvider.Remove(new[] { trustedSigners.First(), new AuthorItem("DontExist", new CertificateItem("abc", HashAlgorithmName.SHA256)) });
trustedSigners = trustedSignerProvider.GetTrustedSigners();
trustedSigners.Should().NotBeNull();
trustedSigners.Count.Should().Be(2);
trustedSigners.Should().BeEquivalentTo(expectedTrustedSigners);
}
}
public void TrustedSignersCommand_AddTrustedSigner_WithExistingSigner_UpdatesItSuccesfullyInConfig(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""signer"">
<certificate fingerprint=""abcdefg"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
// Arrange
using (var dir = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, dir, config);
var nugetConfigPath = Path.Combine(dir, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "-AllowUntrustedRoot" : string.Empty;
// Act
var commandResult = CommandRunner.Run(
_nugetExePath,
dir,
$"trusted-signers add -Name signer -CertificateFingerprint hijklmn -FingerprintAlgorithm SHA256 {allowUntrustedRootArg} -Config {nugetConfigPath}",
waitForExit: true);
// Assert
commandResult.Success.Should().BeTrue();
commandResult.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulActionTrustedSigner, "updated", "signer", "signer"));
var expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<author name=""signer"">
<certificate fingerprint=""abcdefg"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""hijklmn"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""{allowUntrustedRoot.ToString().ToLower()}"" />
</author>
</trustedSigners>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void GetAllowListEntries_TrustedRepository_WithMultipleCertificates_ParsedCorrectly()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<repository name=""repository1"" serviceIndex=""api.v3ServiceIndex.test/json"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""ghi"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</repository>
<repository name=""repository2"" serviceIndex=""api.v3ServiceIndex.test/json"">
<certificate fingerprint=""jkl"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
<certificate fingerprint=""mno"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</repository>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var entries = TrustedSignersProvider.GetAllowListEntries(settings, NullLogger.Instance);
entries.Should().NotBeNull();
entries.Count.Should().Be(5);
var expectedEntries = new List <VerificationAllowListEntry>()
{
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "abc", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "def", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "ghi", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "jkl", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Repository, SignaturePlacement.Any, "mno", HashAlgorithmName.SHA256)
};
entries.Should().BeEquivalentTo(expectedEntries);
}
}
public async Task DotnetTrust_CertificateFingerPrintAction_TryAddSameFingerPrint_Fails(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
var authorName = "MyCompanyCert";
// Act
CommandRunnerResult result = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}");
// Assert
result.Success.Should().BeTrue();
result.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulAddTrustedSigner, "author", authorName));
// Try to add same certificate fingerprint should fail
result = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust certificate {authorName} {certFingerprint} {allowUntrustedRootArg} --algorithm SHA256 --configfile {nugetConfigPath}", ignoreExitCode: true);
// Main assert
result.Success.Should().BeFalse();
result.AllOutput.Should().Contain("The certificate finger you're trying to add is already in the certificate fingerprint list");
result.AllOutput.Should().NotContain("--help");
}
}
public async Task DotnetTrust_RemoveAction_Succeeds()
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var repositoryName = "nuget";
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<trustedSigners>
<repository name = ""{repositoryName}"" serviceIndex=""https://serviceindex.test/v3/index.json"">
<certificate fingerprint=""abcdef"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false""/>
</repository>
</trustedSigners>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
// Act
CommandRunnerResult resultSync = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust remove {repositoryName} --configfile {nugetConfigPath}");
// Assert
resultSync.Success.Should().BeTrue();
resultSync.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture, _successfulRemoveTrustedSigner, repositoryName));
string expectedResult = SettingsTestUtils.RemoveWhitespace($@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>");
SettingsTestUtils.RemoveWhitespace(File.ReadAllText(nugetConfigPath)).Should().Be(expectedResult);
}
}
public void GetClientPolicy_AcceptMode_ReadsClientPolicyCorrectly()
{
// Arrange
var config = @"
<configuration>
<config>
<add key=""signatureValidationMode"" value=""accept"" />
</config>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var clientPolicyContext = ClientPolicyContext.GetClientPolicy(settings, NullLogger.Instance);
clientPolicyContext.Policy.Should().Be(SignatureValidationMode.Accept);
clientPolicyContext.AllowList.Should().BeEmpty();
var verifierSettings = clientPolicyContext.VerifierSettings;
verifierSettings.AllowUnsigned.Should().BeTrue();
verifierSettings.AllowIllegal.Should().BeTrue();
verifierSettings.AllowUntrusted.Should().BeTrue();
verifierSettings.AllowIgnoreTimestamp.Should().BeTrue();
verifierSettings.AllowMultipleTimestamps.Should().BeTrue();
verifierSettings.AllowNoTimestamp.Should().BeTrue();
verifierSettings.AllowUnknownRevocation.Should().BeTrue();
verifierSettings.ReportUnknownRevocation.Should().BeFalse();
verifierSettings.VerificationTarget.Should().Be(VerificationTarget.All);
verifierSettings.SignaturePlacement.Should().Be(SignaturePlacement.Any);
verifierSettings.RepositoryCountersignatureVerificationBehavior.Should().Be(SignatureVerificationBehavior.IfExistsAndIsNecessary);
verifierSettings.RevocationMode.Should().Be(RevocationMode.Online);
}
}
public async Task DotnetTrust_AuthorAction_TryAddSameAuthor_Fails(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
string certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
string signedPackagePath = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource);
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "--allow-untrusted-root" : string.Empty;
var allowUntruestedRootValue = allowUntrustedRoot ? "true" : "false";
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
// Try to add same author again.
resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust author nuget {signedPackagePath} {allowUntrustedRootArg} --configfile {nugetConfigPath}", ignoreExitCode: true);
// Main assert
resultAdd.Success.Should().BeFalse();
resultAdd.AllOutput.Should().Contain("error: A trusted signer 'nuget' already exists.");
resultAdd.AllOutput.Should().NotContain("--help");
}
}
public async Task TrustedSignersCommand_AddTrustedSigner_WithAuthorSignedPackage_AddsMultipleFilesThrows(bool allowUntrustedRoot)
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
// Arrange
var nupkgA = new SimpleTestPackageContext("A", "1.0.0");
var nupkgB = new SimpleTestPackageContext("B", "1.0.0");
using (var dir = TestDirectory.Create())
using (var zipStream = await nupkgA.CreateAsStreamAsync())
using (var trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var signedPackagePathA = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, nupkgA, dir);
var signedPackagePathB = await SignedArchiveTestUtility.AuthorSignPackageAsync(trustedTestCert.Source.Cert, nupkgB, dir);
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, dir, config);
var nugetConfigPath = Path.Combine(dir, nugetConfigFileName);
var allowUntrustedRootArg = allowUntrustedRoot ? "-AllowUntrustedRoot" : string.Empty;
var multiplePackagesPath = $"{dir}{Path.DirectorySeparatorChar}*.nupkg";
// Act
var commandResult = CommandRunner.Run(
_nugetExePath,
dir,
$"trusted-signers add {multiplePackagesPath} -Name signer -Author {allowUntrustedRootArg} -Config {nugetConfigPath}",
waitForExit: true);
// Assert
commandResult.Success.Should().BeFalse();
commandResult.AllOutput.Should().Contain(string.Format(CultureInfo.CurrentCulture,
"Multiple nupkg files detected on '{0}' path to trust, only 1 is allowed.",
multiplePackagesPath));
}
}
public void GetAllowListEntries_WithoutTrustedSignersSection_ReturnsEmptyList()
{
// Arrange
var config = @"
<configuration>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var entries = TrustedSignersProvider.GetAllowListEntries(settings, NullLogger.Instance);
entries.Should().NotBeNull();
entries.Should().BeEmpty();
}
}
public async Task DotnetTrust_RepositoryAction_TryAddSameRepository_Fails()
{
// Arrange
var nugetConfigFileName = "NuGet.Config";
var package = new SimpleTestPackageContext();
using (SimpleTestPathContext pathContext = _msbuildFixture.CreateSimpleTestPathContext())
using (MemoryStream zipStream = await package.CreateAsStreamAsync())
using (TrustedTestCert <TestCertificate> trustedTestCert = SigningTestUtility.GenerateTrustedTestCertificate())
{
var certFingerprint = SignatureTestUtility.GetFingerprint(trustedTestCert.Source.Cert, HashAlgorithmName.SHA256);
var repoServiceIndex = "https://serviceindex.test/v3/index.json";
var signedPackagePath = await SignedArchiveTestUtility.RepositorySignPackageAsync(trustedTestCert.Source.Cert, package, pathContext.PackageSource, new Uri(repoServiceIndex));
var config = $@"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
</configuration>";
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, pathContext.WorkingDirectory, config);
var nugetConfigPath = Path.Combine(pathContext.WorkingDirectory, nugetConfigFileName);
// Act
CommandRunnerResult resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust repository nuget {signedPackagePath} --configfile {nugetConfigPath}");
// Assert
resultAdd.Success.Should().BeTrue();
// Try to add same repository again
resultAdd = _msbuildFixture.RunDotnet(
pathContext.SolutionRoot,
$"nuget trust repository nuget {signedPackagePath} --configfile {nugetConfigPath}", ignoreExitCode: true);
// Main assert
resultAdd.Success.Should().BeFalse();
resultAdd.AllOutput.Should().Contain("error: A trusted signer 'nuget' already exists.");
resultAdd.AllOutput.Should().NotContain("--help");
}
}
public void GetAllowListEntries_TrustedAuthor_WithOneCertificate_ParsedCorrectly()
{
// Arrange
var config = @"
<configuration>
<trustedSigners>
<author name=""author1"">
<certificate fingerprint=""abc"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
<author name=""author2"">
<certificate fingerprint=""def"" hashAlgorithm=""SHA256"" allowUntrustedRoot=""false"" />
</author>
</trustedSigners>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var entries = TrustedSignersProvider.GetAllowListEntries(settings, NullLogger.Instance);
entries.Should().NotBeNull();
entries.Count.Should().Be(2);
var expectedEntries = new List <VerificationAllowListEntry>()
{
new TrustedSignerAllowListEntry(VerificationTarget.Author, SignaturePlacement.PrimarySignature, "abc", HashAlgorithmName.SHA256),
new TrustedSignerAllowListEntry(VerificationTarget.Author, SignaturePlacement.PrimarySignature, "def", HashAlgorithmName.SHA256)
};
entries.Should().BeEquivalentTo(expectedEntries);
}
}
public void GetClientPolicy_WhenNoClientPolicy_DefaultsToAccept()
{
// Arrange
var config = @"
<configuration>
</configuration>";
var nugetConfigPath = "NuGet.Config";
using (var mockBaseDirectory = TestDirectory.Create())
{
SettingsTestUtils.CreateConfigurationFile(nugetConfigPath, mockBaseDirectory, config);
// Act and Assert
var settings = new Settings(mockBaseDirectory);
settings.Should().NotBeNull();
var verifierSettings = SignedPackageVerifierSettings.GetClientPolicy(settings, NullLogger.Instance);
verifierSettings.AllowUnsigned.Should().Be(true);
verifierSettings.AllowIllegal.Should().Be(true);
verifierSettings.AllowUntrusted.Should().Be(true);
verifierSettings.AllowIgnoreTimestamp.Should().Be(true);
verifierSettings.AllowMultipleTimestamps.Should().Be(true);
verifierSettings.AllowNoTimestamp.Should().Be(true);
verifierSettings.AllowUnknownRevocation.Should().Be(true);
verifierSettings.ReportUnknownRevocation.Should().Be(false);
verifierSettings.AllowNoRepositoryCertificateList.Should().Be(true);
verifierSettings.AllowNoClientCertificateList.Should().Be(true);
verifierSettings.VerificationTarget.Should().Be(VerificationTarget.All);
verifierSettings.SignaturePlacement.Should().Be(SignaturePlacement.Any);
verifierSettings.RepositoryCountersignatureVerificationBehavior.Should().Be(SignatureVerificationBehavior.IfExistsAndIsNecessary);
verifierSettings.RevocationMode.Should().Be(RevocationMode.Online);
verifierSettings.RepositoryCertificateList.Should().BeNull();
verifierSettings.ClientCertificateList.Should().BeEmpty();
}
}
public void EvaluateSources_GivenConfigWithCredentials_ReturnsPackageSourceWithCredentials()
{
using (var mockBaseDirectory = TestDirectory.Create())
{
List <PackageSource> source = new List <PackageSource>()
{
new PackageSource("https://contoso.org/v3/index.json"), new PackageSource("b")
};
var nugetConfigFileName = "NuGet.Config";
var config = @"<?xml version=""1.0"" encoding=""utf-8""?>
<configuration>
<packageSources>
<add key=""Contoso"" value=""https://contoso.org/v3/index.json"" />
<add key=""b"" value =""b"" />
</packageSources>
<packageSourceCredentials>
<Contoso>
<add key=""Username"" value=""user @contoso.com"" />
<add key=""Password"" value=""..."" />
</Contoso>
</packageSourceCredentials>
</configuration>";
var configPath = Path.Combine(mockBaseDirectory, nugetConfigFileName);
SettingsTestUtils.CreateConfigurationFile(nugetConfigFileName, mockBaseDirectory, config);
var settingsLoadContext = new SettingsLoadingContext();
var settings = Settings.LoadImmutableSettingsGivenConfigPaths(new string[] { configPath }, settingsLoadContext);
var result = AddPackageCommandUtility.EvaluateSources(source, settings.GetConfigFilePaths());
// Asert
Assert.Equal(2, result.Count);
Assert.NotEqual(null, result[0].Credentials);
}
}
