SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Add client certificate support to the downloader

Browse source
This commit is contained in:
Sascha L. Teichmann 2023-08-02 21:16:32 +02:00
parent 017a6b0a10
commit f31ee53c27
3 changed files with 63 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

20
cmd/csaf_downloader/config.go
View file

@ -9,8 +9,10 @@
package main package main
import ( import (
"crypto/tls"
"net/http" "net/http"
"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
"github.com/csaf-poc/csaf_distribution/v2/internal/filter" "github.com/csaf-poc/csaf_distribution/v2/internal/filter"
"github.com/csaf-poc/csaf_distribution/v2/internal/models" "github.com/csaf-poc/csaf_distribution/v2/internal/models"
"github.com/csaf-poc/csaf_distribution/v2/internal/options" "github.com/csaf-poc/csaf_distribution/v2/internal/options"
@ -25,6 +27,9 @@ type config struct {
Directory *string `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"` Directory *string `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"`
Insecure bool `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"` Insecure bool `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
IgnoreSignatureCheck bool `long:"ignoresigcheck" description:"Ignore signature check results, just warn on mismatch" toml:"ignoresigcheck"` IgnoreSignatureCheck bool `long:"ignoresigcheck" description:"Ignore signature check results, just warn on mismatch" toml:"ignoresigcheck"`
ClientCert *string `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE" toml:"client_cert"`
ClientKey *string `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
ClientPassphrase *string `long:"client-passphrase" description:"Optional passphrase for the client certificate" value-name:"PASSPHRASE" toml:"client_passphrase"`
Version bool `long:"version" description:"Display version of the binary" toml:"-"` Version bool `long:"version" description:"Display version of the binary" toml:"-"`
Verbose bool `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"` Verbose bool `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
Rate *float64 `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"` Rate *float64 `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
@ -41,6 +46,7 @@ type config struct {
Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"` Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"`
clientCerts []tls.Certificate
ignorePattern filter.PatternMatcher ignorePattern filter.PatternMatcher
} }
@ -90,7 +96,21 @@ func (cfg *config) compileIgnorePatterns() error {
return nil return nil
} }
// prepareCertificates loads the client side certificates used by the HTTP client.
func (cfg *config) prepareCertificates() error {
cert, err := certs.LoadCertificate(
cfg.ClientCert, cfg.ClientKey, cfg.ClientPassphrase)
if err != nil {
return err
}
cfg.clientCerts = cert
return nil
}
// prepare prepares internal state of a loaded configuration. // prepare prepares internal state of a loaded configuration.
func (cfg *config) prepare() error { func (cfg *config) prepare() error {
if err := cfg.prepareCertificates(); err != nil {
return err
}
return cfg.compileIgnorePatterns() return cfg.compileIgnorePatterns()
} }

7
cmd/csaf_downloader/downloader.go
View file

@ -84,10 +84,15 @@ func (d *downloader) httpClient() util.Client {
var tlsConfig tls.Config var tlsConfig tls.Config
if d.cfg.Insecure { if d.cfg.Insecure {
tlsConfig.InsecureSkipVerify = true tlsConfig.InsecureSkipVerify = true
}
if len(d.cfg.clientCerts) != 0 {
tlsConfig.Certificates = d.cfg.clientCerts
}
hClient.Transport = &http.Transport{ hClient.Transport = &http.Transport{
TLSClientConfig: &tlsConfig, TLSClientConfig: &tlsConfig,
} }
}
client := util.Client(&hClient) client := util.Client(&hClient)

8
docs/csaf_downloader.md
View file

@ -10,6 +10,9 @@ Application Options:
-d, --directory=DIR DIRectory to store the downloaded files in -d, --directory=DIR DIRectory to store the downloaded files in
--insecure Do not check TLS certificates from provider --insecure Do not check TLS certificates from provider
--ignoresigcheck Ignore signature check results, just warn on mismatch --ignoresigcheck Ignore signature check results, just warn on mismatch
--client-cert=CERT-FILE TLS client certificate file (PEM encoded data)
--client-key=KEY-FILE TLS client private key file (PEM encoded data)
--client-passphrase=PASSPHRASE Optional passphrase for the client certificate
--version Display version of the binary --version Display version of the binary
-v, --verbose Verbose output -v, --verbose Verbose output
-r, --rate= The average upper limit of https operations per second (defaults to unlimited) -r, --rate= The average upper limit of https operations per second (defaults to unlimited)
@ -47,8 +50,11 @@ with `~` expanding to `$HOME` on unixoid systems and `%HOMEPATH` on Windows syst
Supported options in config files: Supported options in config files:
``` ```
directory # not set by default # directory # not set by default
insecure = false insecure = false
# client_cert # not set by default
# client_key # not set by default
# client_passphrase # not set by default
ignoresigcheck = false ignoresigcheck = false
verbose = false verbose = false
# rate # set to unlimited # rate # set to unlimited