SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Issuer documentation

Browse source 
* Documentation for the "issuer" option of the provider.
* More info of the format of the accepted file
* Print out the value of `SSL_CLIENT_I_DN` also when it is not match the issuer.
This commit is contained in:
Fadi Abbud 2022-03-24 16:46:47 +01:00
parent 1a2af34df0
commit 782d653e59
3 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/csaf_provider/controller.go
View file

@ -82,11 +82,11 @@ func (c *controller) auth(
verify := os.Getenv("SSL_CLIENT_VERIFY") verify := os.Getenv("SSL_CLIENT_VERIFY")
log.Printf("SSL_CLIENT_VERIFY: %s\n", verify) log.Printf("SSL_CLIENT_VERIFY: %s\n", verify)
log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
switch { switch {
case verify == "SUCCESS" && (c.cfg.Issuer == nil || *c.cfg.Issuer == os.Getenv("SSL_CLIENT_I_DN")): case verify == "SUCCESS" && (c.cfg.Issuer == nil || *c.cfg.Issuer == os.Getenv("SSL_CLIENT_I_DN")):
log.Printf("user: %s\n", os.Getenv("SSL_CLIENT_S_DN")) log.Printf("user: %s\n", os.Getenv("SSL_CLIENT_S_DN"))
log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
case c.cfg.Password == nil: case c.cfg.Password == nil:
log.Println("No password set, declining access.") log.Println("No password set, declining access.")
http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden) http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden)

1
docs/client-certificate-setup.md
View file

@ -38,6 +38,7 @@ each which a single `if` that matches the `$ssl_client_i_dn` variable
to CAs that you would want to allow for that location. to CAs that you would want to allow for that location.
If you want to restrict the access to the web-interface of the `csaf_provider` for only some TLS client certificates, the CA issuer of these certificates should be assigned to the `issuer` key in the `/user/lib/csaf/config.toml` file e.g. `issuer = "C=DE,O=CSAF Tools Development (internal),CN=Tester" `. If you want to restrict the access to the web-interface of the `csaf_provider` for only some TLS client certificates, the CA issuer of these certificates should be assigned to the `issuer` key in the `/user/lib/csaf/config.toml` file e.g. `issuer = "C=DE,O=CSAF Tools Development (internal),CN=Tester" `.
To inspect the accepted format for this field you can check the value of the `ca:` in the nginx log file `/var/log/nginx/error.log`.
Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx` Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
on Debian or Ubuntu.) on Debian or Ubuntu.)

1
docs/provider-setup.md
View file

@ -132,3 +132,4 @@ Provider has many config options described as following:
- dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`. - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`.
- publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`. - publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`.
- upload_limit: Set the upload limit size of the file. Default: `50 MiB`. - upload_limit: Set the upload limit size of the file. Default: `50 MiB`.
- issuer: The issuer of the CA, which if set, restricts the writing permission and the accessing to the web-interface to only the client certificates signed with this CA.