From 6f02e6f5a5741500d2feb94900cd8fa08845de1d Mon Sep 17 00:00:00 2001 From: Fadi Abbud <39081670+Fadiabb@users.noreply.github.com> Date: Fri, 13 May 2022 11:04:38 +0200 Subject: [PATCH] Improve documentation and its structure * Add short description for each component in the main README * Move more Info in separated files. * Add hint that csaf_provider offers a service interface. * Explain why windows only has uploader and checker. Co-authored-by: Bernhard Reiter --- Makefile | 2 +- README.md | 87 ++++++++++++----------------------- docs/csaf_aggregator.md | 12 +++++ docs/csaf_checker.md | 16 +++++++ docs/csaf_provider.md | 24 ++++++++++ docs/csaf_uploader.md | 48 +++++++++++++++++++ docs/release-process-hints.md | 3 ++ 7 files changed, 134 insertions(+), 58 deletions(-) create mode 100644 docs/csaf_aggregator.md create mode 100644 docs/csaf_checker.md create mode 100644 docs/csaf_provider.md create mode 100644 docs/csaf_uploader.md create mode 100644 docs/release-process-hints.md diff --git a/Makefile b/Makefile index ffda92b..7b0c608 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ dist: build_linux build_win cp README.md dist/$(DISTDIR)-windows-amd64 cp bin-windows-amd64/csaf_uploader.exe bin-windows-amd64/csaf_checker.exe dist/$(DISTDIR)-windows-amd64/bin-windows-amd64/ mkdir -p dist/$(DISTDIR)-windows-amd64/docs - #cp docs/csaf_uploader.md docs/csaf_checker.md dist/$(DISTDIR)-windows-amd64/docs + cp docs/csaf_uploader.md docs/csaf_checker.md dist/$(DISTDIR)-windows-amd64/docs mkdir dist/$(DISTDIR)-gnulinux-amd64 cp -r README.md docs bin-linux-amd64 dist/$(DISTDIR)-gnulinux-amd64 cd dist/ ; zip -r $(DISTDIR)-windows-amd64.zip $(DISTDIR)-windows-amd64/ diff --git a/README.md b/README.md index 0acf0e0..0c2886a 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,36 @@ # csaf_distribution -A proof of concept implementation of -an CSAF 2.0 trusted provider, checker and aggregator. -Includes an uploader command line tool for the trusted provider. +A proof of concept implementation of a [CSAF 2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02.html) trusted provider, checker and aggregator. Includes an uploader command line tool for the trusted provider. Status: Alpha (all planned functionality, but known defects, see issues.) + +## [csaf_provider](docs/csaf_provider.md) +is an implementation of the role CSAF Trusted Provider, also offering +a simple HTTPS based management service. + +## [csaf_uploader](docs/csaf_uploader.md) +is a command line tool that uploads CSAF documents to the `csaf_provider`. + +## [csaf_aggregator](docs/csaf_aggregator.md) +is an implementation of the role CSAF Aggregator. + +## [csaf_checker](docs/csaf_checker.md) +is a tool for testing a CSAF Trusted Provider according to [Section 7 of the CSAF standard](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#7-distributing-csaf-documents). + ## Setup +Note that the server side is only tested +and the binaries available for GNU/Linux-Systems, e.g. Ubuntu LTS. +It is likely to run on similar systems when build from sources. + +The windows binaries only include `csaf_uploader` and `csaf_checker`. + +### Prebuild binaries + +Download the binaries (from the most recent release assets on Github). + + +### Build from sources - A recent version of **Go** (1.17+) should be installed. [Go installation](https://go.dev/doc/install) @@ -23,65 +47,14 @@ Status: Alpha (all planned functionality, but known defects, see issues.) Binaries will be placed in directories named like `bin-linux-amd64/` and `bin-windows-amd64/`. + +### Setup (Trusted Provider) + - [Install](https://nginx.org/en/docs/install.html) **nginx** - To install server certificate on nginx see [docs/install-server-certificate.md](docs/install-server-certificate.md) - To configure nginx see [docs/provider-setup.md](docs/provider-setup.md) - To configure nginx for client certificate authentication see [docs/client-certificate-setup.md](docs/client-certificate-setup.md) -## csaf_uploader - -csaf_uploader is a command line tool that uploads CSAF documents to the trusted provider (CSAF_Provider). -Following options are supported: - -| Options | Description | -| ------------------------------------------ | ------------------------------------------------------------------------------------------ | -| -a, --action=[upload\|create] | Action to perform (default: upload) | -| -u, --url=URL | URL of the CSAF provider (default:https://localhost/cgi-bin/csaf_provider.go) | -| -t, --tlp=[csaf\|white\|green\|amber\|red] | TLP of the feed (default: csaf) | -| -x, --external-signed | CSAF files are signed externally. Assumes .asc files beside CSAF files | -| -k, --key=KEY-FILE | OpenPGP key to sign the CSAF files | -| -p, --password=PASSWORD | Authentication password for accessing the CSAF provider | -| -P, --passphrase=PASSPHRASE | Passphrase to unlock the OpenPGP key | -| -i, --password-interactive | Enter password interactively | -| -I, --passphrase-interacive | Enter passphrase interactively | -| -c, --config=INI-FILE | Path to config ini file | -| --insecure | Do not check TLS certificates from provider | -| --client-cert | TLS client certificate file (PEM encoded data) | -| --client-key | TLS client private key file (PEM encoded data) | -| -h, --help | Show help | - -E.g. creating the initial directiories and files - -``` -./csaf_uploader -a create -u http://localhost/cgi-bin/csaf_provider.go -``` - -E.g. uploading a csaf-document - -``` -./csaf_uploader -a upload -I -t white -u http://localhost/cgi-bin/csaf_provider.go CSAF-document-1.json -``` - -which asks to enter password interactively. - -csaf_uploader can be started with a config file like following: - -``` -./csaf_provider -c conf.ini -``` - -config.ini : - -``` -action=create -u=http://localhost/cgi-bin/csaf_provider.go -``` - -## csaf_checker - -Provider checker is a tool for testing a CSAF trusted provider according to [Section 7 of the CSAF standard](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#7-distributing-csaf-documents). -Usage example: -``` ./csaf_checker example.com -f html -o check-results.html``` ## License diff --git a/docs/csaf_aggregator.md b/docs/csaf_aggregator.md new file mode 100644 index 0000000..9182dcb --- /dev/null +++ b/docs/csaf_aggregator.md @@ -0,0 +1,12 @@ +## csaf_aggregator + +Following options are supported: + +| Options | Description | +| --------------------- | -------------------------------------------------------------- | +| -c, --config=CFG-FILE | File name of the configuration file (default: aggregator.toml) | +| -i, --interim | Perform an interim scan | +| --version | Display version of the binary | + +Usage example: +``` ./csaf_aggregator -c docs/examples/aggregator.toml ``` diff --git a/docs/csaf_checker.md b/docs/csaf_checker.md new file mode 100644 index 0000000..09d0656 --- /dev/null +++ b/docs/csaf_checker.md @@ -0,0 +1,16 @@ +## csaf_checker + +Following options are supported: + +| Options | Description | +| ------------------------------------------ | ---------------------------------------------- | +| -o, --output=REPORT-FILE | File name of the generated report | +| -f, --format=[json | html] | +| -t, --tlp=[csaf\|white\|green\|amber\|red] | Format of report (default: json) | +| --insecure | o not check TLS certificates from provider | +| --client-cert=CERT-FILE | TLS client certificate file (PEM encoded data) | +| --client-key=KEY-FILE | TLS client private key file (PEM encoded data) | +| --version | Display version of the binary | + +Usage example: +` ./csaf_checker example.com -f html -o check-results.html` diff --git a/docs/csaf_provider.md b/docs/csaf_provider.md new file mode 100644 index 0000000..311b006 --- /dev/null +++ b/docs/csaf_provider.md @@ -0,0 +1,24 @@ +## Provider options +Following options are supported: + + - password: Authentication password for accessing the CSAF provider. + - key: The private OpenPGP key. + - folder: Specify the root folder. Default: `/var/www/`. + - web: Specify the web folder. Default: `/var/www/html`. + - tlps: Set the allowed TLP comming with the upload request (one or more of "csaf", "white", "amber", "green", "red"). + The "csaf" selection lets the provider takes the value from the CSAF document. + These affects the list items in the web interface. + Default: `["csaf", "white", "amber", "green", "red"]`. + - upload_signature: Send signature with the request, an additional input-field in the web interface will be shown to let user enter an ascii armored signature. Default: `false`. + - openpgp_url: URL to OpenPGP key-server. Default: `https://openpgp.circl.lu`. + - canonical_url_prefix: start of the URL where contents shall be accessible from the internet. Default: `https://$SERVER_NAME`. + - no_passphrase: Let user send password with the request, if set to true the input-field in the web interface will be disappeared. Default: `false`. + - no_validation: Validate the uploaded CSAF document against the JSON schema. Default: `false`. + - no_web_ui: Disable the web interface. Default: `false`. + - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`. + - provider_metadata: Configure the provider metadata. + - provider_metadata.list_on_CSAF_aggregators: List on aggregators + - provider_metadata.mirror_on_CSAF_aggregators: Mirror on aggregators + - provider_metadata.publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`. + - upload_limit: Set the upload limit size of the file. Default: `50 MiB`. + - issuer: The issuer of the CA, which if set, restricts the writing permission and the accessing to the web-interface to only the client certificates signed with this CA. diff --git a/docs/csaf_uploader.md b/docs/csaf_uploader.md new file mode 100644 index 0000000..5f95892 --- /dev/null +++ b/docs/csaf_uploader.md @@ -0,0 +1,48 @@ +## csaf_uploader + +Following options are supported: + +| Options | Description | +| ------------------------------------------ | ------------------------------------------------------------------------------------------ | +| -a, --action=[upload\|create] | Action to perform (default: upload) | +| -u, --url=URL | URL of the CSAF provider (default:https://localhost/cgi-bin/csaf_provider.go) | +| -t, --tlp=[csaf\|white\|green\|amber\|red] | TLP of the feed (default: csaf) | +| -x, --external-signed | CSAF files are signed externally. Assumes .asc files beside CSAF files | +| -k, --key=KEY-FILE | OpenPGP key to sign the CSAF files | +| -p, --password=PASSWORD | Authentication password for accessing the CSAF provider | +| -P, --passphrase=PASSPHRASE | Passphrase to unlock the OpenPGP key | +| -i, --password-interactive | Enter password interactively | +| -I, --passphrase-interacive | Enter passphrase interactively | +| -c, --config=INI-FILE | Path to config ini file | +| --insecure | Do not check TLS certificates from provider | +| --client-cert | TLS client certificate file (PEM encoded data) | +| --client-key | TLS client private key file (PEM encoded data) | +| --version | Display version of the binary | +| -h, --help | Show help | + +E.g. creating the initial directiories and files + +``` +./csaf_uploader -a create -u http://localhost/cgi-bin/csaf_provider.go +``` + +E.g. uploading a csaf-document + +``` +./csaf_uploader -a upload -I -t white -u http://localhost/cgi-bin/csaf_provider.go CSAF-document-1.json +``` + +which asks to enter password interactively. + +csaf_uploader can be started with a config file like following: + +``` +./csaf_provider -c conf.ini +``` + +config.ini : + +``` +action=create +u=http://localhost/cgi-bin/csaf_provider.go +``` diff --git a/docs/release-process-hints.md b/docs/release-process-hints.md new file mode 100644 index 0000000..0a0a21c --- /dev/null +++ b/docs/release-process-hints.md @@ -0,0 +1,3 @@ +When changing the structure of the documenation, +check the toplevel Makefile's dist target so that +the right things are included.