Merge branch 'main' into client-certificate

2025-12-22 11:55:40 +01:00 · 2022-03-23 20:19:51 +01:00 · 2022-03-23 20:19:51 +01:00 · 1d7e7a3124
commit 1d7e7a3124
parent 3753f08370 5e1f2092e8
5 changed files with 47 additions and 14 deletions
--- a/cmd/csaf_provider/actions.go
+++ b/cmd/csaf_provider/actions.go
@ -219,7 +219,8 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
 			}

 			feedURL := csaf.JSONURL(
-				c.cfg.Domain + "/.well-known/csaf/" + ts + "/" + feedName)
+				c.cfg.CanonicalURLPrefix +
+					"/.well-known/csaf/" + ts + "/" + feedName)

 			tlpLabel := csaf.TLPLabel(strings.ToUpper(ts))

@ -241,7 +242,7 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {

 			year := strconv.Itoa(ex.InitialReleaseDate.Year())

-			csafURL := c.cfg.Domain +
+			csafURL := c.cfg.CanonicalURLPrefix +
 				"/.well-known/csaf/" + ts + "/" + year + "/" + newCSAF

 			e := rolie.EntryByID(ex.ID)
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@ -39,7 +39,7 @@ type config struct {
 	TLPs                    []tlp           `toml:"tlps"`
 	UploadSignature         bool            `toml:"upload_signature"`
 	OpenPGPURL              string          `toml:"openpgp_url"`
-	Domain                  string          `toml:"domain"`
+	CanonicalURLPrefix      string          `toml:"canonical_url_prefix"`
 	NoPassphrase            bool            `toml:"no_passphrase"`
 	NoValidation            bool            `toml:"no_validation"`
 	NoWebUI                 bool            `toml:"no_web_ui"`
@ -149,8 +149,8 @@ func loadConfig() (*config, error) {
 		cfg.Web = defaultWeb
 	}

-	if cfg.Domain == "" {
-		cfg.Domain = "http://" + os.Getenv("SERVER_NAME")
+	if cfg.CanonicalURLPrefix == "" {
+		cfg.CanonicalURLPrefix = "https://" + os.Getenv("SERVER_NAME")
 	}

 	if cfg.TLPs == nil {
--- a/cmd/csaf_provider/create.go
+++ b/cmd/csaf_provider/create.go
@ -95,7 +95,7 @@ func createSecurity(c *config, wellknown string) error {
 			}
 			fmt.Fprintf(
 				f, "CSAF: %s/.well-known/csaf/provider-metadata.json\n",
-				c.Domain)
+				c.CanonicalURLPrefix)
 			return f.Close()
 		}
 		return err
@ -113,7 +113,7 @@ func createProviderMetadata(c *config, wellknownCSAF string) error {
 	if !os.IsNotExist(err) {
 		return err
 	}
-	pm := csaf.NewProviderMetadataDomain(c.Domain, c.modelTLPs())
+	pm := csaf.NewProviderMetadataDomain(c.CanonicalURLPrefix, c.modelTLPs())
 	pm.Publisher = c.Publisher

 	// Set OpenPGP key.
--- a/cmd/csaf_provider/transaction.go
+++ b/cmd/csaf_provider/transaction.go
@ -30,7 +30,7 @@ func doTransaction(
 		f, err := os.Open(metadata)
 		if err != nil {
 			if os.IsNotExist(err) {
-				return csaf.NewProviderMetadataDomain(cfg.Domain, cfg.modelTLPs()), nil
+				return csaf.NewProviderMetadataDomain(cfg.CanonicalURLPrefix, cfg.modelTLPs()), nil
 			}
 			return nil, err
 		}
--- a/docs/provider-setup.md
+++ b/docs/provider-setup.md
@ -7,19 +7,22 @@ The following instructions are for an Debian 11 server setup.
 ```(shell)
 apt-get install nginx fcgiwrap
 cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
+```
+Check if the CGI server and the fcgiwrap Socket active (running):
+```bash
 systemctl status fcgiwrap.service
 systemctl status fcgiwrap.socket
 systemctl is-enabled fcgiwrap.service
 systemctl is-enabled fcgiwrap.socket
 ```
-
+Change the group ownership and the permissions of `/var/www`:
 ```(shell)
 cd /var/www
 chgrp -R www-data .
 chmod -R g+w .
 ```

-Content of `/etc/nginx/fcgiwrap.conf`
+Modify the content of `/etc/nginx/fcgiwrap.conf` like following:

 ```
 # Include this file on your nginx.conf to support debian cgi-bin scripts using
@ -57,9 +60,10 @@ Add to `/etc/nginx/sites-enabled/default`:

 ```
 server {
-
    root /var/www/html;

+      # Other config
+      # ...
    location / {
        # Other config
        # ...
@ -78,8 +82,10 @@ server {
 ```
 Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu).

-Place the binary under `/usr/lib/cgi-bin/csaf_provider.go`.
-Make sure `/usr/lib/cgi-bin/` exists.
+Create `cgi-bin` folder if not exists `mkdir -p /usr/lib/cgi-bin/`.
+
+Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`.
+

 Create configuration file under `/usr/lib/csaf/config.toml`:

@ -88,15 +94,41 @@ Create configuration file under `/usr/lib/csaf/config.toml`:
 # key = "/usr/lib/csaf/public.asc"
 key = "/usr/lib/csaf/private.asc"
 #tlps = ["green", "red"]
-domain = "http://192.168.56.102"
+canonical_url_prefix = "http://192.168.56.102"
 #no_passphrase = true
 ```
 with suitable replacements
 (This configurations-example assumes that the private/public keys are available under `/usr/lib/csaf/`).


+with suitable [replacements](#provider-options).

 Create the folders:
 ```(shell)
 curl http://192.168.56.102/cgi-bin/csaf_provider.go/create
 ```
+Or using the uploader:
+```(shell)
+./csaf_uploader -a create -u http://192.168.56.102/cgi-bin/csaf_provider.go
+```
+
+## Provider options
+Provider has many config options described as following:
+
+ - password: Authentication password for accessing the CSAF provider.
+ - key: The private OpenPGP key.
+ - folder: Specify the root folder. Default: `/var/www/`.
+ - web: Specify the web folder. Default: `/var/www/html`.
+ - tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red").             
+   The "csaf" selection lets the provider takes the value from the CSAF document.         
+   These affects the list items in the web interface.      
+   Default: `["csaf", "white", "amber", "green", "red"]`.
+ - upload_signature: Send signature with the request, an additional input-field in the web interface will be shown to let user enter an ascii armored signature. Default: `false`.
+ - openpgp_url: URL to OpenPGP key-server. Default: `https://openpgp.circl.lu`.
+ - canonical_url_prefix: start of the URL where contents shall be accessible from the internet. Default: `https://$SERVER_NAME`.
+ - no_passphrase: Let user send password with the request, if set to true the input-field in the web interface will be disappeared. Default: `false`.
+ - no_validation: Validate the uploaded CSAF document against the JSON schema. Default: `false`.
+ - no_web_ui: Disable the web interface. Default: `false`.
+ - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
+ - publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`.
+ - upload_limit: Set the upload limit  size of the file. Default: `50 MiB`.