def test_extract_public_keys(self):
meta_payload = {
"public_keys": [
{
"key_identifier": "90a421169f0a406205f1563a953312f0be898d3c"
"7b6c06b681aa86a874555f4a",
"key": "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n",
"is_current": True,
}
]
}
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=cache,
)
keys = vuln_report_verifier.extract_public_keys(pubkey_api_data=meta_payload)
assert keys == [
{
"key": "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n",
"key_id": "90a421169f0a406205f1563a953312f0be"
"898d3c7b6c06b681aa86a874555f4a",
}
]
assert cache.cache == keys
def test_check_signature_invalid_signature(self):
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
public_key = (
"-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n"
)
signature = (
"MEUCIQDz4wvDZjrX2YHsWd34db33f0gny6xYMD0AGrwEhTHGRAIgXCSvx"
"Tl2SdnaY7fImXFRSKhbw3IRf68g1LMaQRetM80="
)
payload = (
b'[{"project":"vuln_project",'
b'"versions":["v1","v2"],'
b'"id":"vuln_id",'
b'"link":"vulns.com/vuln_id",'
b'"aliases":["vuln_alias"]}]'
)
with pytest.raises(integrations.InvalidPayloadSignatureError) as exc:
vuln_report_verifier._check_signature(
payload=payload, public_key=public_key, signature=signature
)
assert str(exc.value) == "Invalid signature"
assert exc.value.reason == "invalid_signature"
def test_retrieve_public_key_payload(self):
meta_payload = {
"public_keys": [
{
"key_identifier": "90a421169f0a406205f1563a953312f0be898d3c"
"7b6c06b681aa86a874555f4a",
"key": "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n",
"is_current": True,
}
]
}
response = pretend.stub(
json=lambda: meta_payload, raise_for_status=lambda: None
)
session = pretend.stub(get=pretend.call_recorder(lambda *a, **k: response))
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=metrics,
public_keys_cache=pretend.stub(),
)
assert vuln_report_verifier.retrieve_public_key_payload() == meta_payload
assert session.get.calls == [
pretend.call(
"http://foo",
)
]
def test_verify_cache_miss(self):
# Example taken from
# https://gist.github.com/ewjoachim/7dde11c31d9686ed6b4431c3ca166da2
meta_payload = {
"public_keys": [
{
"key_identifier": "90a421169f0a406205f1563a953312f0be898d3c"
"7b6c06b681aa86a874555f4a",
"key": "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n",
"is_current": True,
}
]
}
response = pretend.stub(
json=lambda: meta_payload, raise_for_status=lambda: None
)
session = pretend.stub(get=lambda *a, **k: response)
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=metrics,
public_keys_cache=cache,
)
key_id = "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a"
signature = (
"MEUCIQDz4wvDZjrX2YHsWhmu5Cvvp0gny6xYMD0AGrwEhTHGRAIgXCSvx"
"Tl2SdnaY7fImXFRSKhbw3IRf68g1LMaQRetM80="
)
payload = (
b'[{"project":"vuln_project",'
b'"versions":["v1","v2"],'
b'"id":"vuln_id",'
b'"link":"vulns.com/vuln_id",'
b'"aliases":["vuln_alias"]}]'
)
assert (
vuln_report_verifier.verify(
payload=payload, key_id=key_id, signature=signature
)
is True
)
assert metrics.increment.calls == [
pretend.call("warehouse.vulnerabilities.osv.auth.cache.miss"),
pretend.call("warehouse.vulnerabilities.osv.auth.success"),
]
def test_check_public_key_error(self):
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
with pytest.raises(integrations.InvalidPayloadSignatureError) as exc:
vuln_report_verifier._check_public_key(public_keys=[], key_id="c")
assert str(exc.value) == "Key c not found in public keys"
assert exc.value.reason == "wrong_key_id"
def test_init(self):
metrics = pretend.stub()
session = pretend.stub()
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
session=session,
metrics=metrics,
public_keys_cache=cache,
)
# assert vuln_report_verifier._session is session
assert vuln_report_verifier._metrics is metrics
assert vuln_report_verifier._public_keys_cache is cache
def test_get_cached_public_key_cache_miss_no_cache(self):
metrics = pretend.stub()
session = pretend.stub()
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=metrics,
public_keys_cache=cache,
)
with pytest.raises(integrations.CacheMissError):
vuln_report_verifier._get_cached_public_keys()
def test_extract_public_keys_error(self, payload, expected):
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=cache,
)
with pytest.raises(osv.OSVPublicKeyAPIError) as exc:
list(vuln_report_verifier.extract_public_keys(pubkey_api_data=payload))
assert exc.value.reason == "public_key_api.format_error"
assert str(exc.value) == expected
assert cache.cache is None
def test_get_cached_public_key_cache_hit(self):
metrics = pretend.stub()
session = pretend.stub()
cache = integrations.PublicKeysCache(cache_time=12)
cache_value = pretend.stub()
cache.set(now=time.time(), value=cache_value)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=metrics,
public_keys_cache=cache,
)
assert vuln_report_verifier._get_cached_public_keys() is cache_value
def test_check_public_key(self):
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
keys = [
{"key_id": "a", "key": "b"},
{"key_id": "c", "key": "d"},
]
assert (
vuln_report_verifier._check_public_key(public_keys=keys, key_id="c") == "d"
)
def test_retrieve_public_key_payload_connection_error(self):
session = pretend.stub(get=pretend.raiser(requests.ConnectionError))
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
with pytest.raises(osv.OSVPublicKeyAPIError) as exc:
vuln_report_verifier.retrieve_public_key_payload()
assert str(exc.value) == "Could not connect to OSV"
assert exc.value.reason == "public_key_api.network_error"
def test_verify_cache_hit(self):
session = pretend.stub()
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
cache = integrations.PublicKeysCache(cache_time=12)
cache.cached_at = time.time()
cache.cache = [
{
"key_id": "90a421169f0a406205f1563a953312f0be898d3c"
"7b6c06b681aa86a874555f4a",
"key": "-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1c2S+CINXEihVeXz95He1bmWfhPc\n"
"ri7XBJXSEtW2IuZZyrlQP7wDXVupMZ3OsGsZaNX0SL4/nOx2S4OTrF1miA==\n"
"-----END PUBLIC KEY-----\n",
}
]
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=metrics,
public_keys_cache=cache,
)
key_id = "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a"
signature = (
"MEUCIQDz4wvDZjrX2YHsWhmu5Cvvp0gny6xYMD0AGrwEhTHGRAIgXCSvx"
"Tl2SdnaY7fImXFRSKhbw3IRf68g1LMaQRetM80="
)
payload = (
b'[{"project":"vuln_project",'
b'"versions":["v1","v2"],'
b'"id":"vuln_id",'
b'"link":"vulns.com/vuln_id",'
b'"aliases":["vuln_alias"]}]'
)
assert (
vuln_report_verifier.verify(
payload=payload, key_id=key_id, signature=signature
)
is True
)
assert metrics.increment.calls == [
pretend.call("warehouse.vulnerabilities.osv.auth.cache.hit"),
pretend.call("warehouse.vulnerabilities.osv.auth.success"),
]
def test_retrieve_public_key_payload_json_error(self):
response = pretend.stub(
text="Still a non-json teapot",
json=pretend.raiser(json.JSONDecodeError("", "", 3)),
raise_for_status=lambda: None,
)
session = pretend.stub(get=lambda *a, **k: response)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
with pytest.raises(osv.OSVPublicKeyAPIError) as exc:
vuln_report_verifier.retrieve_public_key_payload()
assert str(exc.value) == "Non-JSON response received: Still a non-json teapot"
assert exc.value.reason == "public_key_api.invalid_json"
def test_check_signature_invalid_crypto(self):
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
public_key = ""
signature = ""
payload = "yeah, nope, that won't pass"
with pytest.raises(integrations.InvalidPayloadSignatureError) as exc:
vuln_report_verifier._check_signature(
payload=payload, public_key=public_key, signature=signature
)
assert str(exc.value) == "Invalid cryptographic values"
assert exc.value.reason == "invalid_crypto"
def test_retrieve_public_key_payload_http_error(self):
response = pretend.stub(
status_code=418,
text="I'm a teapot",
raise_for_status=pretend.raiser(requests.HTTPError),
)
session = pretend.stub(
get=lambda *a, **k: response,
)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=session,
metrics=pretend.stub(),
public_keys_cache=pretend.stub(),
)
with pytest.raises(osv.OSVPublicKeyAPIError) as exc:
vuln_report_verifier.retrieve_public_key_payload()
assert str(exc.value) == "Invalid response code 418: I'm a teapot"
assert exc.value.reason == "public_key_api.status.418"
def report_vulnerabilities(request):
# Vulnerability sources call this API view when they have identified a
# vulnerability that affects a project release.
body = request.body
# Thanks to the predicates, we know the headers we need are defined.
key_id = request.headers.get("VULN-PUBLIC-KEY-IDENTIFIER")
signature = request.headers.get("VULN-PUBLIC-KEY-SIGNATURE")
metrics = request.find_service(IMetricsService, context=None)
verifier = osv.VulnerabilityReportVerifier(
session=request.http,
metrics=metrics,
)
if not verifier.verify(payload=body, key_id=key_id, signature=signature):
return Response(status=400)
try:
vulnerability_reports = request.json_body
except json.decoder.JSONDecodeError:
metrics.increment(
"warehouse.vulnerabilties.error.payload.json_error", tags=["origin:osv"]
)
return Response(status=400)
try:
utils.analyze_vulnerabilities(
request=request,
vulnerability_reports=vulnerability_reports,
origin="osv",
metrics=metrics,
)
except vulnerabilities.InvalidVulnerabilityReportError:
return Response(status=400)
except NoResultFound:
return Response(status=404)
# 204 No Content: we acknowledge but we won't comment on the outcome.
return Response(status=204)
def test_verify_error(self):
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
cache = integrations.PublicKeysCache(cache_time=12)
vuln_report_verifier = osv.VulnerabilityReportVerifier(
public_keys_api_url="http://foo",
session=pretend.stub(),
metrics=metrics,
public_keys_cache=cache,
)
vuln_report_verifier.retrieve_public_key_payload = pretend.raiser(
integrations.InvalidPayloadSignatureError("Bla", "bla")
)
assert (
vuln_report_verifier.verify(payload={}, key_id="a", signature="a") is False
)
assert metrics.increment.calls == [
pretend.call("warehouse.vulnerabilities.osv.auth.cache.miss"),
pretend.call("warehouse.vulnerabilities.osv.auth.error.bla"),
]
