* Move example and integration test configuration files to /etc/csaf,
this includes the provider's config.toml as well as the test OpenPGP keys.
This shall make it more compatible with good practices like the FHS.
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: Bernhard Reiter <bernhard@intevation.de>
* Adds option to require Client Certificate and a Password to aquire write access in provider
* Removed unnecessary flavourtext from provider markdown file
* Fixed and simplified the auth middleware
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* provider now checks for undecoded config entries and returns an error if any are found
* Specific error message now in server logs, more general message for user
* Changes spaces to tabs for formatting consistency
* Further formatting
* Improved handling of undecoded TOML fields in config.
* aggregator now checks for not decoded config options
Co-authored-by: Jan Höfelmeyer <Jan Höfelmeyer jhoefelmeyer@intevation.de>
Co-authored-by: Sascha L. Teichmann <sascha.teichmann@intevation.de>
* Simple tool to test the remote validation
* Added remote validator support to provider.
* Added remote validation to aggregator.
* Calm golint
* Removed csaf_remote_validator tool as it was only for dev.
* Re-added csaf_remote_validator tool. Testing is not done.
* Embed the document entirely
* Include testing the remote validator in the Itests
* Change permission of the script
* Remove code for Itests
* As these will be done in another branch
Co-authored-by: Fadi Abbud <fadi.abbud@intevation.de>
* Change options when creating the armored version of the signature
to leave out the optional headers, which would be `Version:`
and `Comment:`, as it is considered uncommon for a while now to
set these.
* Adjust provider and aggregator to copy the used openpgp pubkey into a locally
provided directory `openpgp` beside the `prodiver-metadata.json`.
This more robust and self-reliant than using a public pubkey server,
which is the reason why the CSAF 2.0 csd02 mentions it as example in
"7.1.20 Requirement 20: Public OpenPGP Key".
* Improve aggregator by removing a typo `aggreator` from one written paths.
(Done with this change as it also affects the openpgp/ paths writing.)
solve #85
* Add util function to check a filename for confirming to csaf-v2.0-csd02.
* Add code to reject bad filenames in provider, checker, aggregator and uploader.
* Factor JSON evaluation and construction base URLs out of of checker.
* Move json path matching to util.
* Add csaf_aggregator (as additional command)
* Improve itest workflow to checkout the branch where it is running on.
resolve #105
resolve #72
Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Co-authored-by: Bernhard Reiter <bernhard@intevation.de>
Co-authored-by: Fadi Abbud <fadi.abbud@intevation.de>
* Add flag to display the version for each binary. It is based on `git describe` but adds
a number to the PATCH level if we are between annotated tags, so makes it semver.org
compatible. Use the "-ldflags" method that also works with go 1.17.
* Use Makefile bash and sed magic to do PATCH level increase if needed.
Co-authored-by: Bernhard Reiter <bernhard@intevation.de>
* Documentation for the "issuer" option of the provider.
* More info of the format of the accepted file
* Print out the value of `SSL_CLIENT_I_DN` also when it is not match the issuer.
* Add a first description of the config options for csaf_provider.
* Change option name from `domain` to `canonical_prefix_url`
to make the usage more intuitively. Use`https` in the default,
if unset.
resolve #32
Co-authored-by: Bernhard E. Reiter <bernhard@intevation.de>
Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
* "Issuer" config option for setting the CA issuer, these is used to
determine the valid TLS client certificates that allowed to access the
web-interface of the provider.
* Improve nginx setup to transfer auth information to the fcgiwrap
backend.
* Add instructions for creating client certs for testing.
* Add debug output to see if and which client cert has been used when
calling the csaf_provider.go .
