Add dns config example and add it to integration tests

* Add action for starting integration tests
* Configure nginx to resolve DNS record
* Sync itest.yml and docs/scripts/Readme.md

resolve #100

.github/workflows/generate-markdown.yml

@@ -1,6 +1,7 @@
 name: generate-markdown
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - "main"

.github/workflows/itest.yml

@@ -20,8 +20,10 @@ jobs:
           cp -r $GITHUB_WORKSPACE ~
           cd ~
           cd csaf_distribution/docs/scripts/
-          env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSConfigsForITest.sh
+          # keep in sync with docs/scripts/Readme.md
-          env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSClientConfigsForITest.sh
+          export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
+          source ./TLSConfigsForITest.sh
+          ./TLSClientConfigsForITest.sh
           ./setupProviderForITest.sh
           ./testAggregator.sh
         shell: bash

docs/provider-setup.md

@@ -24,7 +24,7 @@ chmod -R g+w .
 
 Modify the content of `/etc/nginx/fcgiwrap.conf` like following:
 
-<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=24-52) -->
+<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=25-53) -->
 <!-- The below code snippet is automatically added from ../docs/scripts/setupProviderForITest.sh -->
 ```sh
 # Include this file on your nginx.conf to support debian cgi-bin scripts using
@@ -91,7 +91,7 @@ Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_pr
 
 Create configuration file under `/usr/lib/csaf/config.toml`:
 
-<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=82-87) -->
+<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=83-88) -->
 <!-- The below code snippet is automatically added from ../docs/scripts/setupProviderForITest.sh -->
 ```sh
 # upload_signature = true
@@ -118,6 +118,16 @@ Or using the uploader:
 Replace {password} with the password used for the authentication with csaf_provider.
 This needs to set the `password` option in `config.toml`.
 
+To let nginx resolves the DNS record `csaf.data.security.domain.tld` to fulfill the [Requirement 10](https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html#7110-requirement-10-dns-path) configure a new server block (virtual host) in a separated file under `/etc/nginx/available-sites/{DNSNAME}` like following:
+<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/DNSConfigForItest.sh&lines=18-35) -->
+<!-- MARKDOWN-AUTO-DOCS:END -->
+
+Then create a symbolic link to enable the new server block:
+```shell
+ln -s /etc/nginx/sites-available/{DNSNAME} /etc/nginx/sites-enabled/
+```
+Replace {DNSNAME} with a server block file name.
+
 ## Provider options
 Provider has many config options described as following:
 

docs/scripts/DNSConfigForItest.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# This file is Free Software under the MIT License
+# without warranty, see README.md and LICENSES/MIT.txt for details.
+#
+# SPDX-License-Identifier: MIT
+#
+# SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+# Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
+
+# This script adds a new server block with the given DNS-Record and ajdust the "/etc/hosts" to
+# set the DNS-Record for the localhost for testing.
+
+set -e
+
+sudo touch /etc/nginx/sites-available/DNSConfig
+echo "
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        ssl_certificate  '${SSL_CERTIFICATE}'; # e.g. ssl_certificate /etc/ssl/csaf/bundle.crt
+        ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;
+
+        root /var/www/html;
+
+        server_name ${DNS_NAME}; # e.g. server_name csaf.data.security.domain.tld;
+
+        location / {
+                try_files /.well-known/csaf/provider-metadata.json =404;
+        }
+
+        access_log /var/log/nginx/dns-domain_access.log;
+        error_log /var/log/nginx/dns-domain_error.log;
+}
+" | sudo tee -a /etc/nginx/sites-available/DNSConfig
+
+sudo ln -s /etc/nginx/sites-available/DNSConfig /etc/nginx/sites-enabled/
+
+echo "
+    127.0.0.1 $DNS_NAME
+" | sudo tee -a /etc/hosts

docs/scripts/Readme.md

@@ -19,7 +19,10 @@ Calling example (as root):
     git clone https://github.com/csaf-poc/csaf_distribution.git
     pushd csaf_distribution/docs/scripts/
 
-    env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSConfigsForITest.sh
+    export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
-    env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSClientConfigsForITest.sh
+    source ./TLSConfigsForITest.sh
+    set +e  # for an interactive shell, reverse set -e done by previous line
+    ./TLSClientConfigsForITest.sh
     ./setupProviderForITest.sh
+    ./testAggregator.sh
 ```

docs/scripts/TLSClientConfigsForITest.sh

@@ -38,7 +38,7 @@ echo '
                 return 404;
             }
        }
-'> clientCertificateConfigs.txt
+'> ~/${FOLDERNAME}/clientCertificateConfigs.txt
 
 sudo sed -i "/^server {/r  ${HOME}/${FOLDERNAME}/clientCertificateConfigs.txt" $NGINX_CONFIG_PATH
 

docs/scripts/TLSConfigsForITest.sh

@@ -1,5 +1,3 @@
-#!/usr/bin/env bash
-
 # This file is Free Software under the MIT License
 # without warranty, see README.md and LICENSES/MIT.txt for details.
 #
@@ -35,14 +33,14 @@ echo '
         ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;
 
         ssl_protocols TLSv1.2 TLSv1.3;
-' > TLSConfigs.txt
+' > ~/${FOLDERNAME}/TLSConfigs.txt
 
 # a second listener port for testing setup where someone wants to tunnel access
 # to an unpriviledged port and still have the same access url
 echo '
         listen 8443 ssl default_server; # ipv4
         listen [::]:8443 ssl http2 default_server;  # ipv6
-' > TLS8443Configs.txt
+' > ~/${FOLDERNAME}/TLS8443Configs.txt
 
 sudo cp $NGINX_CONFIG_PATH $NGINX_CONFIG_PATH.org
 sudo sed -i "/^server {/r ${HOME}/${FOLDERNAME}/TLSConfigs.txt" $NGINX_CONFIG_PATH

docs/scripts/createWebserverCertForITest.sh

@@ -8,7 +8,7 @@
 
 set -e
 
-cd ~/${FOLDERNAME}
+pushd ~/${FOLDERNAME}
 
 certtool --generate-privkey --outfile testserver-key.pem
 
@@ -33,9 +33,11 @@ certtool --generate-certificate --load-privkey testserver-key.pem --outfile test
 
 cat testserver.crt rootca-cert.pem >bundle.crt
 
-SSL_CERTIFICATE=$(
+export SSL_CERTIFICATE=$(
 echo "$PWD/bundle.crt"
 )
-SSL_CERTIFICATE_KEY=$(
+export SSL_CERTIFICATE_KEY=$(
 echo "$PWD/testserver-key.pem"
 )
+
+popd

docs/scripts/setupProviderForITest.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-
+#
 # This file is Free Software under the MIT License
 # without warranty, see README.md and LICENSES/MIT.txt for details.
 #
@@ -16,7 +16,8 @@ set -e
 sudo chgrp -R www-data  /var/www
 sudo chmod -R g+w  /var/www
 
-NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
+export NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
+export DNS_NAME=csaf.data.security.domain.localhost
 
 sudo cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
 
@@ -62,7 +63,7 @@ echo "
         autoindex on;
 " > locationConfig.txt
 sudo sed -i "/^\s*location \/ {/r locationConfig.txt" $NGINX_CONFIG_PATH # Insert config inside location{}
-
+./DNSConfigForItest.sh
 sudo systemctl reload nginx
 
 # assuming that we are in a checked out version in the docs/scripts directory
@@ -94,3 +95,6 @@ popd
 
 # Upload files
 ./uploadToProvider.sh
+
+# Test resolving DNS record
+curl https://$DNS_NAME --insecure