From f77bb5f1a8f75eb91dfa07789744b0d72dc2c8cc Mon Sep 17 00:00:00 2001
From: "Sascha L. Teichmann" <sascha.teichmann@intevation.de>
Date: Thu, 2 Dec 2021 10:51:25 +0100
Subject: [PATCH] Added default publisher if not configured. Warning if uploads
 don't have the same publisher as in metadata.

---
 cmd/csaf_provider/config.go        |  8 +++++++
 cmd/csaf_provider/controller.go    | 19 ++++++++++++---
 cmd/csaf_provider/tmpl/upload.html | 10 ++++++++
 csaf/models.go                     | 37 ++++++++++++++++++++++++++----
 4 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/cmd/csaf_provider/config.go b/cmd/csaf_provider/config.go
index c21f1b2..1221397 100644
--- a/cmd/csaf_provider/config.go
+++ b/cmd/csaf_provider/config.go
@@ -113,5 +113,13 @@ func loadConfig() (*config, error) {
 		cfg.OpenPGPURL = defaultOpenPGPURL
 	}
 
+	if cfg.Publisher == nil {
+		cfg.Publisher = &csaf.Publisher{
+			Category:  func(c csaf.Category) *csaf.Category { return &c }(csaf.CSAFCategoryVendor),
+			Name:      func(s string) *string { return &s }("ACME"),
+			Namespace: func(s string) *string { return &s }("https://example.com"),
+		}
+	}
+
 	return &cfg, nil
 }
diff --git a/cmd/csaf_provider/controller.go b/cmd/csaf_provider/controller.go
index c441106..d155594 100644
--- a/cmd/csaf_provider/controller.go
+++ b/cmd/csaf_provider/controller.go
@@ -215,6 +215,9 @@ func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var warnings []string
+	warn := func(msg string) { warnings = append(warnings, msg) }
+
 	if err := doTransaction(
 		c.cfg, t,
 		func(folder string, pmd *csaf.ProviderMetadata) error {
@@ -328,14 +331,23 @@ func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
 			}
 
 			// Take over publisher
-			// TODO: Check for conflicts.
-			pmd.Publisher = ex.publisher
+			switch {
+			case pmd.Publisher == nil:
+				warn("Publisher in provider metadata is not initialized. Forgot to configure?")
+				if c.cfg.DynamicProviderMetaData {
+					warn("Taking publisher from CSAF")
+					pmd.Publisher = ex.publisher
+				}
+			case !pmd.Publisher.Equals(ex.publisher):
+				warn("Publishers in provider metadata and CSAF do not match.")
+			}
 
 			keyID, fingerprint := key.GetHexKeyID(), key.GetFingerprint()
 			pmd.SetPGP(fingerprint, c.cfg.GetOpenPGPURL(keyID))
 
 			return nil
-		}); err != nil {
+		},
+	); err != nil {
 		c.failed(rw, "upload.html", err)
 		return
 	}
@@ -343,6 +355,7 @@ func (c *controller) upload(rw http.ResponseWriter, r *http.Request) {
 	result := map[string]interface{}{
 		"Name":        newCSAF,
 		"ReleaseDate": ex.currentReleaseDate.Format(dateFormat),
+		"Warnings":    warnings,
 	}
 
 	c.render(rw, "upload.html", result)
diff --git a/cmd/csaf_provider/tmpl/upload.html b/cmd/csaf_provider/tmpl/upload.html
index d2501ff..72ebfed 100644
--- a/cmd/csaf_provider/tmpl/upload.html
+++ b/cmd/csaf_provider/tmpl/upload.html
@@ -14,6 +14,16 @@
       <tr><td>CSAF file:</td><td><tt>{{ .Name }}</tt></td></tr>
       <tr><td>Release date:</td><td><tt>{{ .ReleaseDate }}</tt></td></tr>
     </table>
+    {{ if .Warnings }}
+    <p>
+    Warning(s):
+    <ul>
+      {{ range .Warnings }}
+      <li>{{ . }}</li>
+      {{ end }}
+    </ul>
+    </p>
+    {{ end }}
     {{ end }}
     <br>
     <a href="/cgi-bin/csaf_provider.go/">Back</a>:
diff --git a/csaf/models.go b/csaf/models.go
index b5ebac4..b313ab3 100644
--- a/csaf/models.go
+++ b/csaf/models.go
@@ -283,20 +283,47 @@ func (r *ROLIE) Validate() error {
 
 // Validate checks if the publisher is valid.
 // Returns an error if the validation fails otherwise nil.
-func (cp *Publisher) Validate() error {
+func (p *Publisher) Validate() error {
 	switch {
-	case cp == nil:
+	case p == nil:
 		return errors.New("publisher is mandatory")
-	case cp.Category == nil:
+	case p.Category == nil:
 		return errors.New("publisher.category is mandatory")
-	case cp.Name == nil:
+	case p.Name == nil:
 		return errors.New("publisher.name is mandatory")
-	case cp.Namespace == nil:
+	case p.Namespace == nil:
 		return errors.New("publisher.namespace is mandatory")
 	}
 	return nil
 }
 
+func strPtrEquals(a, b *string) bool {
+	switch {
+	case a == nil:
+		return b == nil
+	case b == nil:
+		return false
+	default:
+		return *a == *b
+	}
+}
+
+// Equals checks if the publisher is equal to other componentwise.
+func (p *Publisher) Equals(o *Publisher) bool {
+	switch {
+	case p == nil:
+		return o == nil
+	case o == nil:
+		return false
+	default:
+		return strPtrEquals((*string)(p.Category), (*string)(o.Category)) &&
+			strPtrEquals(p.Name, o.Name) &&
+			strPtrEquals(p.Namespace, o.Namespace) &&
+			p.ContactDetails == o.ContactDetails &&
+			p.IssuingAuthority == o.IssuingAuthority
+	}
+}
+
 // Validate checks if the PGPKey is valid.
 // Returns an error if the validation fails otherwise nil.
 func (pk *PGPKey) Validate() error {