Change DocumentRevisionsValidator allowedReferences checks to have info status

DEVSIX-8392

Author: AnhelinaM

sign/src/main/java/com/itextpdf/signatures/validation/v1/DocumentRevisionsValidator.java

@@ -132,6 +132,7 @@ public class DocumentRevisionsValidator {
     private IMetaInfo metaInfo = new ValidationMetaInfo();
     private AccessPermissions accessPermissions = AccessPermissions.ANNOTATION_MODIFICATION;
     private AccessPermissions requestedAccessPermissions = AccessPermissions.UNSPECIFIED;
+    private ReportItemStatus unexpectedXrefChangesStatus = ReportItemStatus.INFO;
     private Set<PdfObject> checkedAnnots;
     private Set<PdfDictionary> newlyAddedFields;
 
@@ -169,6 +170,19 @@ public DocumentRevisionsValidator setAccessPermissions(AccessPermissions accessP
         return this;
     }
 
+    /**
+     * Set the status to be used for the report items produced during docMDP validation in case revision contains
+     * unexpected changes in the XREF table. Default value is {@link ReportItemStatus#INFO}.
+     *
+     * @param status {@link ReportItemStatus} to be used in case of unexpected changes in the XREF table
+     *
+     * @return the same {@link DocumentRevisionsValidator} instance.
+     */
+    public DocumentRevisionsValidator setUnexpectedXrefChangesStatus(ReportItemStatus status) {
+        this.unexpectedXrefChangesStatus = status;
+        return this;
+    }
+
     /**
      * Validate all document revisions according to docMDP and fieldMDP transform methods.
      *
@@ -273,12 +287,13 @@ void validateRevision(DocumentRevision previousRevision, DocumentRevision curren
                     if (!isMaxGenerationObject(indirectReference) &&
                             referenceWasInPrevDocument && !referenceAllowedToBeRemoved) {
                         validationReport.addReportItem(new ReportItem(DOC_MDP_CHECK, MessageFormatUtil.format(
-                                OBJECT_REMOVED, indirectReference.getObjNumber()), ReportItemStatus.INVALID));
+                                OBJECT_REMOVED, indirectReference.getObjNumber()), unexpectedXrefChangesStatus));
                     }
                 } else if (!checkAllowedReferences(currentAllowedReferences, previousAllowedReferences,
-                        indirectReference, documentWithoutRevision)) {
+                        indirectReference, documentWithoutRevision) &&
+                        !isAllowedStreamObj(indirectReference, documentWithRevision)) {
                     validationReport.addReportItem(new ReportItem(DOC_MDP_CHECK, MessageFormatUtil.format(
-                            UNEXPECTED_ENTRY_IN_XREF, indirectReference.getObjNumber()), ReportItemStatus.INVALID));
+                            UNEXPECTED_ENTRY_IN_XREF, indirectReference.getObjNumber()), unexpectedXrefChangesStatus));
                 }
             }
         } catch (IOException exception) {
@@ -1323,6 +1338,15 @@ private boolean checkAllowedReferences(Set<PdfIndirectReference> currentAllowedR
         return false;
     }
 
+    private boolean isAllowedStreamObj(PdfIndirectReference indirectReference, PdfDocument document) {
+        PdfObject pdfObject = document.getPdfObject(indirectReference.getObjNumber());
+        if (pdfObject instanceof PdfStream) {
+            PdfName type = ((PdfStream) pdfObject).getAsName(PdfName.Type);
+            return PdfName.XRef.equals(type) || PdfName.ObjStm.equals(type);
+        }
+        return false;
+    }
+
     // Allowed references creation nested methods section:
 
     private Set<PdfIndirectReference> createAllowedDssEntries(PdfDocument document) {

sign/src/test/java/com/itextpdf/signatures/validation/v1/DocumentRevisionsValidatorIntegrationTest.java

@@ -459,4 +459,43 @@ public void removeUnnamedFieldTest() throws Exception {
             Assert.assertEquals(AccessPermissions.ANNOTATION_MODIFICATION, validator.getAccessPermissions());
         }
     }
+
+    @Test
+    public void fullCompressionModeLevel1Test() throws Exception {
+        try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "fullCompressionModeLevel1.pdf"))) {
+            DocumentRevisionsValidator validator = builder.buildDocumentRevisionsValidator();
+            ValidationReport report = validator.validateAllDocumentRevisions(validationContext, document);
+
+            Assert.assertEquals(AccessPermissions.NO_CHANGES_PERMITTED, validator.getAccessPermissions());
+
+            AssertValidationReport.assertThat(report, a -> a.hasStatus(ValidationResult.VALID)
+                    .hasNumberOfFailures(0).hasNumberOfLogs(0));
+        }
+    }
+
+    @Test
+    public void fullCompressionModeLevel2Test() throws Exception {
+        try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "fullCompressionModeLevel2.pdf"))) {
+            DocumentRevisionsValidator validator = builder.buildDocumentRevisionsValidator();
+            ValidationReport report = validator.validateAllDocumentRevisions(validationContext, document);
+
+            Assert.assertEquals(AccessPermissions.FORM_FIELDS_MODIFICATION, validator.getAccessPermissions());
+
+            AssertValidationReport.assertThat(report, a -> a.hasStatus(ValidationResult.VALID)
+                    .hasNumberOfFailures(0).hasNumberOfLogs(0));
+        }
+    }
+
+    @Test
+    public void fullCompressionModeLevel3Test() throws Exception {
+        try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "fullCompressionModeLevel3.pdf"))) {
+            DocumentRevisionsValidator validator = builder.buildDocumentRevisionsValidator();
+            ValidationReport report = validator.validateAllDocumentRevisions(validationContext, document);
+
+            Assert.assertEquals(AccessPermissions.ANNOTATION_MODIFICATION, validator.getAccessPermissions());
+
+            AssertValidationReport.assertThat(report, a -> a.hasStatus(ValidationResult.VALID)
+                    .hasNumberOfFailures(0).hasNumberOfLogs(0));
+        }
+    }
 }

sign/src/test/java/com/itextpdf/signatures/validation/v1/DocumentRevisionsValidatorTest.java

@@ -98,11 +98,11 @@ public void multipleRevisionsDocumentLevel1Test() throws IOException {
 
             // Between these two revisions DSS and timestamp are added, which is allowed,
             // but there is unused entry in the xref table, which is an itext signature generation artifact.
-            AssertValidationReport.assertThat(validationReport, a -> a.hasStatus(ValidationResult.INVALID)
-                    .hasNumberOfFailures(1).hasNumberOfLogs(1)
+            AssertValidationReport.assertThat(validationReport, a -> a.hasStatus(ValidationResult.VALID)
+                    .hasNumberOfFailures(0).hasNumberOfLogs(1)
                     .hasLogItem(l -> l.withCheckName(DocumentRevisionsValidator.DOC_MDP_CHECK)
                             .withMessage(DocumentRevisionsValidator.UNEXPECTED_ENTRY_IN_XREF, i -> 27)
-                            .withStatus(ReportItemStatus.INVALID)));
+                            .withStatus(ReportItemStatus.INFO)));
 
             validationReport = new ValidationReport();
             validator.validateRevision(documentRevisions.get(1), documentRevisions.get(2), document, validationReport, validationContext);
@@ -257,8 +257,9 @@ public void randomEntryAddedTest() throws IOException {
     @Test
     public void randomEntryWithoutUsageTest() throws IOException {
         try (PdfDocument document = new PdfDocument(new PdfReader(SOURCE_FOLDER + "randomEntryWithoutUsage.pdf"))) {
-            DocumentRevisionsValidator validator = builder.buildDocumentRevisionsValidator();
-            validator.setAccessPermissions(AccessPermissions.NO_CHANGES_PERMITTED);
+            DocumentRevisionsValidator validator = builder.buildDocumentRevisionsValidator()
+                    .setAccessPermissions(AccessPermissions.NO_CHANGES_PERMITTED)
+                    .setUnexpectedXrefChangesStatus(ReportItemStatus.INVALID);
             PdfRevisionsReader revisionsReader = new PdfRevisionsReader(document.getReader());
             List<DocumentRevision> documentRevisions = revisionsReader.getAllRevisions();
 

sign/src/test/java/com/itextpdf/signatures/validation/v1/SignatureValidatorIntegrationTest.java

@@ -259,19 +259,20 @@ public void validateMultipleSignaturesUsingLastKnownPoETest() throws Exception {
                     .withRevocationDataValidator(new MockRevocationDataValidator()).buildSignatureValidator();
             ValidationReport report = signatureValidator.validateSignatures(document);
 
-            // Document contains invalid unused entry which is invalid according to DocumentRevisionsValidator.
             AssertValidationReport.assertThat(report, r -> r
-                    .hasStatus(ValidationResult.INVALID)
-                    .hasNumberOfLogs(5).hasNumberOfFailures(1)
+                    .hasStatus(ValidationResult.VALID)
+                    .hasNumberOfLogs(5).hasNumberOfFailures(0)
                     .hasLogItem(l -> l
                             .withCheckName(SignatureValidator.SIGNATURE_VERIFICATION)
                             .withMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, p -> "timestampSig1"))
                     .hasLogItem(l -> l
                             .withCheckName(SignatureValidator.SIGNATURE_VERIFICATION)
                             .withMessage(SignatureValidator.VALIDATING_SIGNATURE_NAME, p -> "Signature1"))
+                    // Document contains unused unexpected entry.
                     .hasLogItem(l -> l
                             .withCheckName(DocumentRevisionsValidator.DOC_MDP_CHECK)
-                            .withMessage(DocumentRevisionsValidator.UNEXPECTED_ENTRY_IN_XREF, p -> "28"))
+                            .withMessage(DocumentRevisionsValidator.UNEXPECTED_ENTRY_IN_XREF, p -> "28")
+                            .withStatus(ReportItem.ReportItemStatus.INFO))
             );
         }
     }