Merge pull request #312 from csaf-poc/downloader-validator

Add remote validator support to downloader
2025-12-22 11:55:40 +01:00 · 2023-01-30 19:35:48 +01:00 · 2023-01-30 19:35:48 +01:00 · f60ec5fea4
commit f60ec5fea4
parent 15e615e653 c8e0804eba
3 changed files with 71 additions and 18 deletions
--- a/cmd/csaf_downloader/downloader.go
+++ b/cmd/csaf_downloader/downloader.go
@ -39,12 +39,37 @@ type downloader struct {
 	directory string
 	keys      []*crypto.KeyRing
 	eval      *util.PathEval
+	validator csaf.RemoteValidator
 }

-func newDownloader(opts *options) *downloader {
+func newDownloader(opts *options) (*downloader, error) {
+
+	var validator csaf.RemoteValidator
+
+	if opts.RemoteValidator != "" {
+		validatorOptions := csaf.RemoteValidatorOptions{
+			URL:     opts.RemoteValidator,
+			Presets: opts.RemoteValidatorPresets,
+			Cache:   opts.RemoteValidatorCache,
+		}
+		var err error
+		if validator, err = validatorOptions.Open(); err != nil {
+			return nil, fmt.Errorf(
+				"preparing remote validator failed: %w", err)
+		}
+	}
+
 	return &downloader{
-		opts: opts,
-		eval: util.NewPathEval(),
+		opts:      opts,
+		eval:      util.NewPathEval(),
+		validator: validator,
+	}, nil
+}
+
+func (d *downloader) close() {
+	if d.validator != nil {
+		d.validator.Close()
+		d.validator = nil
 	}
 }

@ -336,6 +361,19 @@ func (d *downloader) downloadFiles(label csaf.TLPLabel, files []csaf.AdvisoryFil
 			continue
 		}

+		// Validate against remote validator
+		if d.validator != nil {
+			ok, err := d.validator.Validate(doc)
+			if err != nil {
+				return fmt.Errorf(
+					"calling remote validator on %q failed: %w",
+					file.URL(), err)
+			}
+			if !ok {
+				log.Printf("Remote validation of %q failed\n", file.URL())
+			}
+		}
+
 		if err := d.eval.Extract(`$.document.tracking.initial_release_date`, dateExtract, false, doc); err != nil {
 			log.Printf("Cannot extract initial_release_date from advisory '%s'\n", file.URL())
 			initialReleaseDate = time.Now()
--- a/cmd/csaf_downloader/main.go
+++ b/cmd/csaf_downloader/main.go
@ -20,12 +20,17 @@ import (
 )

 type options struct {
-	Directory   *string     `short:"d" long:"directory" description:"Directory to store the downloaded files in"`
-	Insecure    bool        `long:"insecure" description:"Do not check TLS certificates from provider"`
-	Version     bool        `long:"version" description:"Display version of the binary"`
-	Verbose     bool        `long:"verbose" short:"v" description:"Verbose output"`
-	Rate        *float64    `long:"rate" short:"r" description:"The average upper limit of https operations per second"`
+	Directory *string  `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR"`
+	Insecure  bool     `long:"insecure" description:"Do not check TLS certificates from provider"`
+	Version   bool     `long:"version" description:"Display version of the binary"`
+	Verbose   bool     `long:"verbose" short:"v" description:"Verbose output"`
+	Rate      *float64 `long:"rate" short:"r" description:"The average upper limit of https operations per second"`
+
 	ExtraHeader http.Header `long:"header" short:"H" description:"One or more extra HTTP header fields"`
+
+	RemoteValidator        string   `long:"validator" description:"URL to validate documents remotely" value-name:"URL"`
+	RemoteValidatorCache   string   `long:"validatorcache" description:"FILE to cache remote validations" value-name:"FILE"`
+	RemoteValidatorPresets []string `long:"validatorpreset" description:"One or more presets to validate remotely" default:"mandatory"`
 }

 func errCheck(err error) {
@ -37,6 +42,15 @@ func errCheck(err error) {
 	}
 }

+func run(opts *options, domains []string) error {
+	d, err := newDownloader(opts)
+	if err != nil {
+		return err
+	}
+	defer d.close()
+	return d.run(domains)
+}
+
 func main() {

 	opts := new(options)
@ -56,7 +70,5 @@ func main() {
 		return
 	}

-	d := newDownloader(opts)
-
-	errCheck(d.run(domains))
+	errCheck(run(opts, domains))
 }
--- a/docs/csaf_downloader.md
+++ b/docs/csaf_downloader.md
@ -7,13 +7,16 @@ A tool to download CSAF content from a specific domain/provider.
 csaf_downloader [OPTIONS] domain...

 Application Options:
-  -d, --directory= Directory to store the downloaded files in
-      --insecure   Do not check TLS certificates from provider
-      --version    Display version of the binary
-  -v, --verbose    Verbose output
-  -r, --rate=      The average upper limit of https operations per second
-  -H, --header=    One or more extra HTTP header fields
+  -d, --directory=DIR          DIRectory to store the downloaded files in
+      --insecure               Do not check TLS certificates from provider
+      --version                Display version of the binary
+  -v, --verbose                Verbose output
+  -r, --rate=                  The average upper limit of https operations per second
+  -H, --header=                One or more extra HTTP header fields
+      --validator=URL          URL to validate documents remotely
+      --validatorcache=FILE    FILE to cache remote validations
+      --validatorpreset=       One or more presets to validate remotely (default: mandatory)

 Help Options:
-  -h, --help       Show this help message
+  -h, --help                   Show this help message
 ```