Downloader: Add forwarding to HTTP endpoint (#442)

* started with forwarding support in downloader * Add missing files. * Add missing files. * Raise needed Go version * More Go version bumping. * Fix forwarding * Go 1.21+ needed * Make terminating forwarder more robust. * Better var naming * Remove dead code. Improve commentary. * Prepare validation status adjustment. * Move validations to functions to make them executable in a loop. * Introduce validation mode flag (strict, unsafe)
2025-12-22 05:40:11 +01:00 · 2023-08-25 10:31:27 +02:00 · 2023-08-25 10:31:27 +02:00 · e0475791ff
commit e0475791ff
parent 7d3c3a68df
13 changed files with 398 additions and 63 deletions
--- a/docs/csaf_downloader.md
+++ b/docs/csaf_downloader.md
@ -7,28 +7,34 @@ A tool to download CSAF documents from CSAF providers.
 csaf_downloader [OPTIONS] domain...

 Application Options:
-  -d, --directory=DIR                   DIRectory to store the downloaded files in
-      --insecure                        Do not check TLS certificates from provider
-      --ignoresigcheck                  Ignore signature check results, just warn on mismatch
-      --client-cert=CERT-FILE           TLS client certificate file (PEM encoded data)
-      --client-key=KEY-FILE             TLS client private key file (PEM encoded data)
-      --client-passphrase=PASSPHRASE    Optional passphrase for the client cert (limited, experimental, see doc)
-      --version                         Display version of the binary
-  -v, --verbose                         Verbose output
-  -r, --rate=                           The average upper limit of https operations per second (defaults to
-                                        unlimited)
-  -w, --worker=NUM                      NUMber of concurrent downloads (default: 2)
-  -t, --timerange=RANGE                 RANGE of time from which advisories to download
-  -f, --folder=FOLDER                   Download into a given subFOLDER
-  -i, --ignorepattern=PATTERN           Do not download files if their URLs match any of the given PATTERNs
-  -H, --header=                         One or more extra HTTP header fields
-      --validator=URL                   URL to validate documents remotely
-      --validatorcache=FILE             FILE to cache remote validations
-      --validatorpreset=PRESETS         One or more PRESETS to validate remotely (default: [mandatory])
-  -c, --config=TOML-FILE                Path to config TOML file
+  -d, --directory=DIR                         DIRectory to store the downloaded files in
+      --insecure                              Do not check TLS certificates from provider
+      --ignoresigcheck                        Ignore signature check results, just warn on mismatch
+      --client-cert=CERT-FILE                 TLS client certificate file (PEM encoded data)
+      --client-key=KEY-FILE                   TLS client private key file (PEM encoded data)
+      --client-passphrase=PASSPHRASE          Optional passphrase for the client cert (limited, experimental, see doc)
+      --version                               Display version of the binary
+  -v, --verbose                               Verbose output
+  -n, --nostore                               Do not store files
+  -r, --rate=                                 The average upper limit of https operations per second (defaults to
+                                              unlimited)
+  -w, --worker=NUM                            NUMber of concurrent downloads (default: 2)
+  -t, --timerange=RANGE                       RANGE of time from which advisories to download
+  -f, --folder=FOLDER                         Download into a given subFOLDER
+  -i, --ignorepattern=PATTERN                 Do not download files if their URLs match any of the given PATTERNs
+  -H, --header=                               One or more extra HTTP header fields
+      --validator=URL                         URL to validate documents remotely
+      --validatorcache=FILE                   FILE to cache remote validations
+      --validatorpreset=PRESETS               One or more PRESETS to validate remotely (default: [mandatory])
+  -m, --validationmode=MODE[strict|unsafe]    MODE how strict the validation is (default: strict)
+      --forwardurl=URL                        URL of HTTP endpoint to forward downloads to
+      --forwardheader=                        One or more extra HTTP header fields used by forwarding
+      --forwardqueue=LENGTH                   Maximal queue LENGTH before forwarder
+      --forwardinsecure                       Do not check TLS certificates from forward endpoint
+  -c, --config=TOML-FILE                      Path to config TOML file

 Help Options:
-  -h, --help                            Show this help message
+  -h, --help                                  Show this help message
 ```

 Will download all CSAF documents for the given _domains_, by trying each as a CSAF provider.
@ -67,6 +73,11 @@ worker              = 2
 # validator         # not set by default
 # validatorcache    # not set by default
 validatorpreset     = ["mandatory"]
+validation_mode     = "strict"
+# forward_url       # not set by default
+# forward_header    # not set by default
+forward_queue       = 5
+forward_insecure    = false
 ```

 The `timerange` parameter enables downloading advisories which last changes falls