SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Add dns config example and add it to integration tests

Browse source 
* Add action for starting integration tests
* Configure nginx to resolve DNS record
* Sync itest.yml and docs/scripts/Readme.md

resolve #100
This commit is contained in:
Fadi Abbud 2022-05-16 15:20:37 +02:00 committed by GitHub
parent c4deef74eb
commit 5577a0b088
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 79 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/generate-markdown.yml vendored
View file

@ -1,6 +1,7 @@
name: generate-markdown
on:
workflow_dispatch:
push:
branches:
- "main"

6
.github/workflows/itest.yml vendored
View file

@ -20,8 +20,10 @@ jobs:
cp -r $GITHUB_WORKSPACE ~
cd ~
cd csaf_distribution/docs/scripts/
env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSConfigsForITest.sh
env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSClientConfigsForITest.sh
# keep in sync with docs/scripts/Readme.md
export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
source ./TLSConfigsForITest.sh
./TLSClientConfigsForITest.sh
./setupProviderForITest.sh
./testAggregator.sh
shell: bash

14
docs/provider-setup.md
View file

@ -24,7 +24,7 @@ chmod -R g+w .
Modify the content of `/etc/nginx/fcgiwrap.conf` like following:
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=24-52) -->
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=25-53) -->
<!-- The below code snippet is automatically added from ../docs/scripts/setupProviderForITest.sh -->
```sh
# Include this file on your nginx.conf to support debian cgi-bin scripts using
@ -91,7 +91,7 @@ Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_pr
Create configuration file under `/usr/lib/csaf/config.toml`:
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=82-87) -->
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=83-88) -->
<!-- The below code snippet is automatically added from ../docs/scripts/setupProviderForITest.sh -->
```sh
# upload_signature = true
@ -118,6 +118,16 @@ Or using the uploader:
Replace {password} with the password used for the authentication with csaf_provider.
This needs to set the `password` option in `config.toml`.
To let nginx resolves the DNS record `csaf.data.security.domain.tld` to fulfill the [Requirement 10](https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html#7110-requirement-10-dns-path) configure a new server block (virtual host) in a separated file under `/etc/nginx/available-sites/{DNSNAME}` like following:
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/DNSConfigForItest.sh&lines=18-35) -->
<!-- MARKDOWN-AUTO-DOCS:END -->
Then create a symbolic link to enable the new server block:
```shell
ln -s /etc/nginx/sites-available/{DNSNAME} /etc/nginx/sites-enabled/
```
Replace {DNSNAME} with a server block file name.
## Provider options
Provider has many config options described as following:

42
docs/scripts/DNSConfigForItest.sh Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/env bash
#
# This file is Free Software under the MIT License
# without warranty, see README.md and LICENSES/MIT.txt for details.
#
# SPDX-License-Identifier: MIT
#
# SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
# Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
# This script adds a new server block with the given DNS-Record and ajdust the "/etc/hosts" to
# set the DNS-Record for the localhost for testing.
set -e
sudo touch /etc/nginx/sites-available/DNSConfig
echo "
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate '${SSL_CERTIFICATE}'; # e.g. ssl_certificate /etc/ssl/csaf/bundle.crt
ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;
root /var/www/html;
server_name ${DNS_NAME}; # e.g. server_name csaf.data.security.domain.tld;
location / {
try_files /.well-known/csaf/provider-metadata.json =404;
}
access_log /var/log/nginx/dns-domain_access.log;
error_log /var/log/nginx/dns-domain_error.log;
}
" | sudo tee -a /etc/nginx/sites-available/DNSConfig
sudo ln -s /etc/nginx/sites-available/DNSConfig /etc/nginx/sites-enabled/
echo "
127.0.0.1 $DNS_NAME
" | sudo tee -a /etc/hosts

7
docs/scripts/Readme.md
View file

@ -19,7 +19,10 @@ Calling example (as root):
git clone https://github.com/csaf-poc/csaf_distribution.git
pushd csaf_distribution/docs/scripts/
env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSConfigsForITest.sh
env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSClientConfigsForITest.sh
export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
source ./TLSConfigsForITest.sh
set +e # for an interactive shell, reverse set -e done by previous line
./TLSClientConfigsForITest.sh
./setupProviderForITest.sh
./testAggregator.sh
```

2
docs/scripts/TLSClientConfigsForITest.sh
View file

@ -38,7 +38,7 @@ echo '
return 404;
}
}
'> clientCertificateConfigs.txt
'> ~/${FOLDERNAME}/clientCertificateConfigs.txt
sudo sed -i "/^server {/r ${HOME}/${FOLDERNAME}/clientCertificateConfigs.txt" $NGINX_CONFIG_PATH

6
docs/scripts/TLSConfigsForITest.sh Executable file → Normal file
View file

@ -1,5 +1,3 @@
#!/usr/bin/env bash
# This file is Free Software under the MIT License
# without warranty, see README.md and LICENSES/MIT.txt for details.
#
@ -35,14 +33,14 @@ echo '
ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
' > TLSConfigs.txt
' > ~/${FOLDERNAME}/TLSConfigs.txt
# a second listener port for testing setup where someone wants to tunnel access
# to an unpriviledged port and still have the same access url
echo '
listen 8443 ssl default_server; # ipv4
listen [::]:8443 ssl http2 default_server; # ipv6
' > TLS8443Configs.txt
' > ~/${FOLDERNAME}/TLS8443Configs.txt
sudo cp $NGINX_CONFIG_PATH $NGINX_CONFIG_PATH.org
sudo sed -i "/^server {/r ${HOME}/${FOLDERNAME}/TLSConfigs.txt" $NGINX_CONFIG_PATH

8
docs/scripts/createWebserverCertForITest.sh
View file

@ -8,7 +8,7 @@
set -e
cd ~/${FOLDERNAME}
pushd ~/${FOLDERNAME}
certtool --generate-privkey --outfile testserver-key.pem
@ -33,9 +33,11 @@ certtool --generate-certificate --load-privkey testserver-key.pem --outfile test
cat testserver.crt rootca-cert.pem >bundle.crt
SSL_CERTIFICATE=$(
export SSL_CERTIFICATE=$(
echo "$PWD/bundle.crt"
)
SSL_CERTIFICATE_KEY=$(
export SSL_CERTIFICATE_KEY=$(
echo "$PWD/testserver-key.pem"
)
popd

10
docs/scripts/setupProviderForITest.sh
View file

@ -1,5 +1,5 @@
#!/usr/bin/env bash
#
# This file is Free Software under the MIT License
# without warranty, see README.md and LICENSES/MIT.txt for details.
#
@ -16,7 +16,8 @@ set -e
sudo chgrp -R www-data /var/www
sudo chmod -R g+w /var/www
NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
export NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
export DNS_NAME=csaf.data.security.domain.localhost
sudo cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
@ -62,7 +63,7 @@ echo "
autoindex on;
" > locationConfig.txt
sudo sed -i "/^\s*location \/ {/r locationConfig.txt" $NGINX_CONFIG_PATH # Insert config inside location{}
./DNSConfigForItest.sh
sudo systemctl reload nginx
# assuming that we are in a checked out version in the docs/scripts directory
@ -94,3 +95,6 @@ popd
# Upload files
./uploadToProvider.sh
# Test resolving DNS record
curl https://$DNS_NAME --insecure