SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Only create/update index.txt, changes.csv, security.txt when configured. (#210)

Browse source 
* Change default to not write index.txt, changes.csv and security.txt 
  (for provider and aggregator)
* Add config file options to reenable writing.
This commit is contained in:
Sascha L. Teichmann 2022-07-05 16:44:45 +02:00 committed by GitHub
parent 3a3ef7a961
commit 20f5937240
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 51 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

10
cmd/csaf_aggregator/config.go
View file

@ -38,6 +38,7 @@ type provider struct {
// Rate gives the provider specific rate limiting (see overall Rate).
Rate *float64 `toml:"rate"`
Insecure *bool `toml:"insecure"`
WriteIndices *bool `toml:"write_indices"`
}
type config struct {
@ -50,6 +51,7 @@ type config struct {
// Rate gives the average upper limit of https operations per second.
Rate *float64 `toml:"rate"`
Insecure *bool `toml:"insecure"`
WriteIndices bool `toml:"write_indices"`
Aggregator csaf.AggregatorInfo `toml:"aggregator"`
Providers []*provider `toml:"providers"`
OpenPGPPrivateKey string `toml:"openpgp_private_key"`
@ -75,6 +77,14 @@ type config struct {
keyErr error
}
// writeIndices tells if we should write index.txt and changes.csv.
func (p *provider) writeIndices(c *config) bool {
if p.WriteIndices != nil {
return *p.WriteIndices
}
return c.WriteIndices
}
// runAsMirror determines if the aggregator should run in mirror mode.
func (c *config) runAsMirror() bool {
return c.Aggregator.Category != nil &&

3
cmd/csaf_aggregator/indices.go
View file

@ -220,12 +220,15 @@ func (w *worker) writeIndices() error {
if err := w.writeInterims(label, summaries); err != nil {
return err
}
// Only write index.txt and changes.csv if configured.
if w.provider.writeIndices(w.processor.cfg) {
if err := w.writeCSV(label, summaries); err != nil {
return err
}
if err := w.writeIndex(label, summaries); err != nil {
return err
}
}
if err := w.writeROLIE(label, summaries); err != nil {
return err
}

3
cmd/csaf_provider/actions.go
View file

@ -322,12 +322,15 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
return err
}
// Only write index.txt and changes.csv if configured.
if c.cfg.WriteIndices {
if err := updateIndices(
folder, filepath.Join(year, newCSAF),
ex.CurrentReleaseDate,
); err != nil {
return err
}
}
// Take over publisher
switch {

2
cmd/csaf_provider/config.go
View file

@ -56,6 +56,8 @@ type config struct {
UploadLimit *int64 `toml:"upload_limit"`
Issuer *string `toml:"issuer"`
RemoteValidator *csaf.RemoteValidatorOptions `toml:"remote_validator"`
WriteIndices bool `toml:"write_indices"`
WriteSecurity bool `toml:"write_security"`
}
func (pmdc *providerMetadataConfig) apply(pmd *csaf.ProviderMetadata) {

8
cmd/csaf_provider/create.go
View file

@ -41,7 +41,13 @@ func ensureFolders(c *config) error {
}
}
return setupSecurity(c, wellknown)
// Only write/modify security.txt if configured.
if c.WriteSecurity {
if err := setupSecurity(c, wellknown); err != nil {
return err
}
}
return nil
}
// createWellknown creates ".well-known" directory if not exist and returns nil.

6
docs/csaf_aggregator.md
View file

@ -78,8 +78,7 @@ web // directory to be served by the webserver
domain // base url where the contents will be reachable from outside
rate // overall downloading limit per worker
insecure // do not check validity of TLS certificates
aggregator // table with basic infos for the aggregator object
providers // array of tables, each entry to be mirrored or listed
write_indices // write index.txt and changes.csv
openpgp_private_key // OpenPGP private key
openpgp_public_key // OpenPGP public key
passphrase // passphrase of the OpenPGP key
@ -88,6 +87,8 @@ interim_years // limiting the years for which interim documents are sear
verbose // print more diagnostic output, e.g. https request
allow_single_provider // debugging option
remote_validator // use remote validation checker
aggregator // table with basic infos for the aggregator object
providers // array of tables, each entry to be mirrored or listed
```
Rates are specified as floats in HTTPS operations per second.
@ -99,6 +100,7 @@ name
domain
rate
insecure
write_indices
```
#### Example config file

2
docs/csaf_provider.md
View file

@ -21,6 +21,8 @@ Following options are supported in the config file:
- dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
- upload_limit: Set the upload limit size of a file in bytes. Default: `52428800` (aka 50 MiB).
- issuer: The issuer of the CA, which if set, restricts the writing permission and the accessing to the web-interface to only the client certificates signed with this CA.
- write_indices: Write/update `index.txt` and `changes.csv`. Default: false
- write_security: Write `CSAF:` entry into `security.txt`: Default: false
- tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red").
The "csaf" selection lets the provider takes the value from the CSAF document.
These affects the list items in the web interface.

16
docs/examples/aggregator.toml
View file

@ -5,6 +5,13 @@ web = "/var/csaf_aggregator/html"
domain = "https://localhost:9443"
rate = 10.0
insecure = true
#key =
#passphrase =
#write_indices = false
# specification requires at least two providers (default),
# to override for testing, enable:
# allow_single_provider = true
[aggregator]
category = "aggregator"
@ -24,11 +31,4 @@ insecure = true
domain = "localhost"
# rate = 1.2
# insecure = true
#key =
#passphrase =
# specification requires at least two providers (default),
# to override for testing, enable:
# allow_single_provider = true
write_indices = true