SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Merge branch 'main' into client-certificate

Browse source
This commit is contained in:
Bernhard E. Reiter 2022-03-23 20:19:51 +01:00 committed by GitHub
commit 1d7e7a3124
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 47 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

5
cmd/csaf_provider/actions.go
View file

@ -219,7 +219,8 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
} }
feedURL := csaf.JSONURL( feedURL := csaf.JSONURL(
c.cfg.Domain + "/.well-known/csaf/" + ts + "/" + feedName) c.cfg.CanonicalURLPrefix +
"/.well-known/csaf/" + ts + "/" + feedName)
tlpLabel := csaf.TLPLabel(strings.ToUpper(ts)) tlpLabel := csaf.TLPLabel(strings.ToUpper(ts))
@ -241,7 +242,7 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
year := strconv.Itoa(ex.InitialReleaseDate.Year()) year := strconv.Itoa(ex.InitialReleaseDate.Year())
csafURL := c.cfg.Domain + csafURL := c.cfg.CanonicalURLPrefix +
"/.well-known/csaf/" + ts + "/" + year + "/" + newCSAF "/.well-known/csaf/" + ts + "/" + year + "/" + newCSAF
e := rolie.EntryByID(ex.ID) e := rolie.EntryByID(ex.ID)

6
cmd/csaf_provider/config.go
View file

@ -39,7 +39,7 @@ type config struct {
TLPs []tlp `toml:"tlps"` TLPs []tlp `toml:"tlps"`
UploadSignature bool `toml:"upload_signature"` UploadSignature bool `toml:"upload_signature"`
OpenPGPURL string `toml:"openpgp_url"` OpenPGPURL string `toml:"openpgp_url"`
Domain string `toml:"domain"` CanonicalURLPrefix string `toml:"canonical_url_prefix"`
NoPassphrase bool `toml:"no_passphrase"` NoPassphrase bool `toml:"no_passphrase"`
NoValidation bool `toml:"no_validation"` NoValidation bool `toml:"no_validation"`
NoWebUI bool `toml:"no_web_ui"` NoWebUI bool `toml:"no_web_ui"`
@ -149,8 +149,8 @@ func loadConfig() (*config, error) {
cfg.Web = defaultWeb cfg.Web = defaultWeb
} }
if cfg.Domain == "" { if cfg.CanonicalURLPrefix == "" {
cfg.Domain = "http://" + os.Getenv("SERVER_NAME") cfg.CanonicalURLPrefix = "https://" + os.Getenv("SERVER_NAME")
} }
if cfg.TLPs == nil { if cfg.TLPs == nil {

4
cmd/csaf_provider/create.go
View file

@ -95,7 +95,7 @@ func createSecurity(c *config, wellknown string) error {
} }
fmt.Fprintf( fmt.Fprintf(
f, "CSAF: %s/.well-known/csaf/provider-metadata.json\n", f, "CSAF: %s/.well-known/csaf/provider-metadata.json\n",
c.Domain) c.CanonicalURLPrefix)
return f.Close() return f.Close()
} }
return err return err
@ -113,7 +113,7 @@ func createProviderMetadata(c *config, wellknownCSAF string) error {
if !os.IsNotExist(err) { if !os.IsNotExist(err) {
return err return err
} }
pm := csaf.NewProviderMetadataDomain(c.Domain, c.modelTLPs()) pm := csaf.NewProviderMetadataDomain(c.CanonicalURLPrefix, c.modelTLPs())
pm.Publisher = c.Publisher pm.Publisher = c.Publisher
// Set OpenPGP key. // Set OpenPGP key.

2
cmd/csaf_provider/transaction.go
View file

@ -30,7 +30,7 @@ func doTransaction(
f, err := os.Open(metadata) f, err := os.Open(metadata)
if err != nil { if err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
return csaf.NewProviderMetadataDomain(cfg.Domain, cfg.modelTLPs()), nil return csaf.NewProviderMetadataDomain(cfg.CanonicalURLPrefix, cfg.modelTLPs()), nil
} }
return nil, err return nil, err
} }

44
docs/provider-setup.md
View file

@ -7,19 +7,22 @@ The following instructions are for an Debian 11 server setup.
```(shell) ```(shell)
apt-get install nginx fcgiwrap apt-get install nginx fcgiwrap
cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
```
Check if the CGI server and the fcgiwrap Socket active (running):
```bash
systemctl status fcgiwrap.service systemctl status fcgiwrap.service
systemctl status fcgiwrap.socket systemctl status fcgiwrap.socket
systemctl is-enabled fcgiwrap.service systemctl is-enabled fcgiwrap.service
systemctl is-enabled fcgiwrap.socket systemctl is-enabled fcgiwrap.socket
``` ```
Change the group ownership and the permissions of `/var/www`:
```(shell) ```(shell)
cd /var/www cd /var/www
chgrp -R www-data . chgrp -R www-data .
chmod -R g+w . chmod -R g+w .
``` ```
Content of `/etc/nginx/fcgiwrap.conf` Modify the content of `/etc/nginx/fcgiwrap.conf` like following:
``` ```
# Include this file on your nginx.conf to support debian cgi-bin scripts using # Include this file on your nginx.conf to support debian cgi-bin scripts using
@ -57,9 +60,10 @@ Add to `/etc/nginx/sites-enabled/default`:
``` ```
server { server {
root /var/www/html; root /var/www/html;
# Other config
# ...
location / { location / {
# Other config # Other config
# ... # ...
@ -78,8 +82,10 @@ server {
``` ```
Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu). Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu).
Place the binary under `/usr/lib/cgi-bin/csaf_provider.go`. Create `cgi-bin` folder if not exists `mkdir -p /usr/lib/cgi-bin/`.
Make sure `/usr/lib/cgi-bin/` exists.
Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`.
Create configuration file under `/usr/lib/csaf/config.toml`: Create configuration file under `/usr/lib/csaf/config.toml`:
@ -88,15 +94,41 @@ Create configuration file under `/usr/lib/csaf/config.toml`:
# key = "/usr/lib/csaf/public.asc" # key = "/usr/lib/csaf/public.asc"
key = "/usr/lib/csaf/private.asc" key = "/usr/lib/csaf/private.asc"
#tlps = ["green", "red"] #tlps = ["green", "red"]
domain = "http://192.168.56.102" canonical_url_prefix = "http://192.168.56.102"
#no_passphrase = true #no_passphrase = true
``` ```
with suitable replacements with suitable replacements
(This configurations-example assumes that the private/public keys are available under `/usr/lib/csaf/`). (This configurations-example assumes that the private/public keys are available under `/usr/lib/csaf/`).
with suitable [replacements](#provider-options).
Create the folders: Create the folders:
```(shell) ```(shell)
curl http://192.168.56.102/cgi-bin/csaf_provider.go/create curl http://192.168.56.102/cgi-bin/csaf_provider.go/create
``` ```
Or using the uploader:
```(shell)
./csaf_uploader -a create -u http://192.168.56.102/cgi-bin/csaf_provider.go
```
## Provider options
Provider has many config options described as following:
- password: Authentication password for accessing the CSAF provider.
- key: The private OpenPGP key.
- folder: Specify the root folder. Default: `/var/www/`.
- web: Specify the web folder. Default: `/var/www/html`.
- tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red").
The "csaf" selection lets the provider takes the value from the CSAF document.
These affects the list items in the web interface.
Default: `["csaf", "white", "amber", "green", "red"]`.
- upload_signature: Send signature with the request, an additional input-field in the web interface will be shown to let user enter an ascii armored signature. Default: `false`.
- openpgp_url: URL to OpenPGP key-server. Default: `https://openpgp.circl.lu`.
- canonical_url_prefix: start of the URL where contents shall be accessible from the internet. Default: `https://$SERVER_NAME`.
- no_passphrase: Let user send password with the request, if set to true the input-field in the web interface will be disappeared. Default: `false`.
- no_validation: Validate the uploaded CSAF document against the JSON schema. Default: `false`.
- no_web_ui: Disable the web interface. Default: `false`.
- dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
- publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`.
- upload_limit: Set the upload limit size of the file. Default: `50 MiB`.